Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Kerberos V5 specifies the AS exchange ([RFC4120] section 3.1). KILE also supports extensions to the AS exchange specified in [Referrals-11], [RFC5349], [RFC4556], and [MS-PKCA].
If Pre-AuthenticationNotRequired is set to TRUE on the principal, the KDC MUST issue a TGT without validating pre-authentication data ([RFC4120] section 7.5.2) provided.
If DES is used for pre-authentication, the KDC MUST:<50>
If UseDESOnly is not set: the KDC MUST return KDC_ERR_ETYPE_NOTSUPP.
Otherwise, if the account is:
krbtgt: the KDC MUST return KDC_ERR_ETYPE_NOTSUPP.
The computer account of a KDC: the KDC MUST return KDC_ERR_ETYPE_NOTSUPP.
The KDC SHOULD<51> return in the encrypted part of the AS-REP message a PA-DATA structure with padata-type set to PA-SUPPORTED-ENCTYPES [165] (section 2.2.8), to indicate what encryption types (section 2.2.7) are supported by the KDC, and whether Claims or FAST are supported.<52>
If domainControllerFunctionality returns a value >= 6 ([MS-ADTS] section 3.1.1.3.2.25), the KDC MUST check whether the account is a member of PROTECTED_USERS ([MS-DTYP] section 2.4.2.4). If it is a member of PROTECTED_USERS, then:<53>
If pre-authentication used DES or RC4, the KDC MUST return KDC_ERR_ETYPE_NOTSUPP.
MaxRenewAge (section 3.3.1) for the TGT is 4 hours unless specified by policy.
MaxTicketAge (section 3.3.1) for the TGT is 4 hours unless specified by policy.
If domainControllerFunctionality returns a value >= 6, the KDC MUST determine whether an Authentication Policy is applied to the account (section 3.3.5.5). If Enforced is TRUE, then:<54>
If TGTLifetime is not 0: MaxRenewAge for the TGT is TGTLifetime.
If TGTLifetime is not 0: MaxTicketAge for the TGT is TGTLifetime.
If AllowedToAuthenticateFrom is not NULL, the PAC of the armor TGT MUST be used to perform an access check for the ACTRL_DS_CONTROL_ACCESS right against the AllowedToAuthenticateFrom. If the access check fails, the KDC MUST return KDC_ERR_POLICY, as specified in [RFC4120] section 7.5.9.
The KDC checks whether the domainControllerFunctionality ([MS-ADTS] section 3.1.1.3.2.25) returns a value:
< 3: the KDC, in the encrypted pre-auth data part ([Referrals-11], Appendix A) of the AS-REP message, includes a PA-DATA structure with padata-type set to PA-SUPPORTED-ENCTYPES [165], and padata-value is set to 0x7 (section 2.2.7).
>= 3: the KDC, in the encrypted pre-auth data part of the AS-REP message, includes a PA-DATA structure with padata-type set to PA-SUPPORTED-ENCTYPES [165], and padata-value is set to 0x1F (section 2.2.7).