Export (0) Print
Expand All

3.3.5.7.4 Compound Identity

If a compound identity TGS-REQ (FAST TGS-REQ explicitly armored with the computer's ticket-granting ticket (TGT)) is received and a Compound-Identity-supported bit is set in the application server's service account’s KerbSupportedEncryptionTypes, the KDC SHOULD add to the privilege attribute certificate (PAC) a PAC_DEVICE_INFO structure ([MS-PAC] section 2.12) and PAC_DEVICE_CLAIMS_INFO structure ([MS-PAC] section 2.13)  with the group membership and claims for the computer.<66>

The armor key for an explicitly armored TGT is generated as follows:

 explicit_armor_key = KRB-FX-CF2(armor_subkey, ticket_session_key, "subkeyarmor", "ticketarmor" )

The armor_subkey is the ap-req subkey in the armor ticket. Then the explicit armor key is used to create the armor key, which is used per [RFC6113].

 armor_key = KRB-FX-CF2( explicit_armor_key, subkey, " explicitarmor", " tgsarmor" )

The KDC SHOULD add the COMPOUNDED_AUTHENTICATION SID ([MS-DTYP] section 2.4.2.4) to KERB_VALIDATION_INFO.ExtraSids and increment SidCount.

The KDC SHOULD populate the following PAC_DEVICE_INFO structure ([MS-PAC] section 2.12) fields by using the following fields from the KERB_VALIDATION_INFO structure from the computer’s TGT:

  • UserID: from the UserID field

  • PrimaryGroupId: from the PrimaryGroupId field

  • AccountDomainId: from the LogonDomainId field

  • AccountGroupCount: from the GroupCount field

  • AccountGroupIds: from the GroupIds field.

The non-account domain fields MUST be initialized as follows:

  • SidCount field set to zero

  • ExtraSids field is NULL

  • DomainCount field set to zero

  • DomainGroup field is NULL

The KDC MUST call IDL_DRSGetMemberships ([MS-DRSR] section 4.1.8) to obtain the Domain Local Group Membership as described in section 3.3.5.7.3 using the computer TGT. If ExtraSids.Sid in the Domain Local Group Membership (section 3.3.5.7.3) is the only SID from a domain, then ExtraSids SHOULD be used:

  • Add one to the SidCount field.

  • The ExtraSids field SHOULD be populated with the value of the ExtraSids field in the Domain Local Group Membership (section 3.3.5.7.3), using the computer principal.

For the rest of the ExtraSids.Sid, DomainGroup SHOULD be used:

  • The DomainCount field contains the number of domains with DomainGroup populated.

  • The DomainGroup field SHOULD be populated for each domain where:

    • The DomainId field contains the SID for the domain.

    • The GroupCount field contains the number of groups in GroupIds field.

    • For each ExtraSids.Sid in the DomainId domain, the GroupIds field SHOULD be populated with the value of the ResourceGroupIds field in the Domain Local Group Membership (section 3.3.5.7.3) using the computer principal.

The KDC SHOULD populate the following PAC_DEVICE_CLAIMS_INFO structure ([MS-PAC] section 2.13) fields using the following fields from the PAC_CLIENT_CLAIMS_INFO structure from the computer's TGT:

  • Claims: Claims field.

Show:
© 2016 Microsoft