2.2.64 FW_AUTH_SET2_10
This structure contains a list of FW_AUTH_SUITE2_10 elements that are ordered from highest to lowest preference and are negotiated with remote peers to establish authentication algorithms.
-
typedef struct _tag_FW_AUTH_SET2_10 { struct _tag_FW_AUTH_SET2_10* pNext; unsigned short wSchemaVersion; [range(FW_IPSEC_PHASE_INVALID+1, FW_IPSEC_PHASE_MAX-1)] FW_IPSEC_PHASE IpSecPhase; [string, range(1,255), ref] wchar_t* wszSetId; [string, range(1,10001)] wchar_t* wszName; [string, range(1,10001)] wchar_t* wszDescription; [string, range(1,10001)] wchar_t* wszEmbeddedContext; [range(0,1000)] unsigned long dwNumSuites; [size_is(dwNumSuites)] PFW_AUTH_SUITE pSuites; [range(FW_RULE_ORIGIN_INVALID,FW_RULE_ORIGIN_MAX-1)] FW_RULE_ORIGIN_TYPE Origin; [string, range(1,10001)] wchar_t* wszGPOName; FW_RULE_STATUS Status; unsigned long dwAuthSetFlags; } FW_AUTH_SET2_10, *PFW_AUTH_SET2_10;
pNext: A pointer to the next FW_AUTH_SET2_10 in the list.
wSchemaVersion: Specifies the version of the set.
IpSecPhase: This field is of type FW_IPSEC_PHASE, and it specifies if this authentication set applies for first or second authentications.
wszSetId: A pointer to a Unicode string that uniquely identifies the set. The default set for this policy object is identified with the "{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE3}" string for Phase1 and the "{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE4}" string for Phase2. Default sets are merged across policy stores, and only one is enforced according to predefined merge logic rules.
wszName: A pointer to a Unicode string that provides a friendly name for the set.
wszDescription: A pointer to a Unicode string that provides a friendly description for the set.
wszEmbeddedContext: A pointer to a Unicode string that provides a way for applications to store relevant application-specific context that is related to the set.
dwNumSuites: Specifies the number of authentication suites that the structure contains.
pSuites: A pointer to an array of FW_AUTH_SUITE elements. The number of elements is given by dwNumSuites.
Origin: This field is the set origin, as specified in the FW_RULE_ORIGIN_TYPE enumeration. It MUST be filled on enumerated rules and ignored on input.
wszGPOName: A Unicode string that represents the name of the originating GPO. It MUST be set if the origin is Group Policy; otherwise, it MUST be NULL.
Status: A status code of the set, as specified by the FW_RULE_STATUS enumeration. This field is filled out when the structure is returned as output. On input, this field MUST be set to FW_RULE_STATUS_OK.
dwAuthSetFlags: A reserved value and not currently used. It MUST be set to 0.
The following are semantic checks that authentication sets MUST pass:
The wSchemaVersion field MUST NOT be less than 0x000200.
The wszSetId field MUST NOT contain the pipe (|) character, MUST NOT be NULL, MUST be a string of at least 1 character long, and MUST NOT be greater than or equal to 255 characters.
If the wszName field string is not NULL, it MUST be at least 1 character long, MUST NOT be greater than or equal to 10,000 characters, and MUST NOT contain the pipe (|) character.
If the wszDescription field string is not NULL, it MUST be at least 1 character long, MUST NOT be greater than or equal to 10,000 characters, and MUST NOT contain the pipe (|) character.
If the wszEmbeddedContext field string is not NULL, it MUST be at least 1 character long, MUST NOT be greater than or equal to 10,000 characters, and MUST NOT contain the pipe (|) character.
The IpSecPhase field MUST have valid FW_IPSEC_PHASE values.
If IpSecPhase is FW_IPSEC_PHASE_1:
The wszSetId field MUST NOT have the default phase 1 authentication set ID as a prefix.
The authentication set MUST have at least one authentication suite.
The dwNumSuites field MUST agree with the pSuites field.
The authentication suites methods MUST only be FW_AUTH_METHOD_ANONYMOUS, FW_AUTH_METHOD_MACHINE_KERB, FW_AUTH_METHOD_MACHINE_NTLM, FW_AUTH_METHOD_MACHINE_CERT, or FW_AUTH_METHOD_MACHINE_SHKEY.
Authentication suites that have a method other than machine certificate MUST have the wFlags field of the same suite set to 0.
If the set schema policy version is 0x200, the wFlags field MUST NOT contain the FW_AUTH_SUITE_FLAGS_CERT_SIGNING_ECDSA256 or the FW_AUTH_SUITE_FLAGS_CERT_SIGNING_ECDSA384 flags.
The wFlags field MUST NOT contain both the FW_AUTH_SUITE_FLAGS_CERT_SIGNING_ECDSA256 and the FW_AUTH_SUITE_FLAGS_CERT_SIGNING_ECDSA384 flags.
All suites that have the FW_AUTH_METHOD_MACHINE_CERT method and a wFlags field with the FW_AUTH_SUITE_FLAGS_CERT_SIGNING_ECDSA256 flag set, MUST be contiguous. The same applies for those suites that have the FW_AUTH_SUITE_FLAGS_CERT_SIGNING_ECDSA384 flag set, and those suites that have neither flag set (they default to RSA signing).
All such contiguous suites that have a specific signing flag (either none, ECDSA256, or ECDSA384) MUST have the same value for the FW_AUTH_SUITE_FLAGS_HEALTH_CERT flag. It MUST be set either in all or in none.
The set MUST NOT have more than one suite that has the anonymous method (FW_AUTH_METHOD_ANONYMOUS), or that has the machine kerb method (FW_AUTH_METHOD_MACHINE_KERB), or that has the machine ntlm method (FW_AUTH_METHOD_MACHINE_NTLM), or that has the machine shkey method (FW_AUTH_METHOD_MACHINE_SHKEY), as defined in section 2.2.60.<17>
The set MUST NOT have a suite that has an NTLM Authentication Protocol method (as specified in [MS-NLMP]) and a suite SHKey method.
If the set has a machine certificate suite that has a wFlags field that contains the flag FW_AUTH_SUITE_FLAGS_HEALTH_CERT, all machine certificate method suites in the set MUST also have this flag.
If the set schema policy version is less than 0x214, the set MUST NOT have suites that contain the FW_AUTH_METHOD_MACHINE_NEGOEX authentication method.
If the IpSecPhase is FW_IPSEC_PHASE_2:
The wszSetId MUST NOT have the default phase 2 authentication set ID as a prefix.
The dwNumSuites field MUST agree with the pSuites field.
The authentication suites methods MUST only be FW_AUTH_METHOD_ANONYMOUS, FW_AUTH_METHOD_USER_KERB, FW_AUTH_METHOD_USER_NTLM, FW_AUTH_METHOD_USER_CERT, or FW_AUTH_METHOD_MACHINE_CERT.
The set MUST NOT have a suite that has the anonymous method as the only suite.
Suites in the set MUST NOT contain FW_AUTH_SUITE_FLAGS_CERT_EXCLUDE_CA_NAME.
Suites that have user certificate methods MUST NOT contain the FW_AUTH_SUITE_FLAGS_HEALTH_CERT flag; however, suites that have machine certificate methods MUST contain it.
Authentication suites that have a method other than machine certificate or user certificate MUST have the wFlags field of the same suite set to 0.
If the set schema policy version is 0x200, the wFlags field MUST NOT contain the FW_AUTH_SUITE_FLAGS_CERT_SIGNING_ECDSA256 or the FW_AUTH_SUITE_FLAGS_CERT_SIGNING_ECDSA384 flags.
The wFlags field MUST NOT contain both the FW_AUTH_SUITE_FLAGS_CERT_SIGNING_ECDSA256 and the FW_AUTH_SUITE_FLAGS_CERT_SIGNING_ECDSA384 flags.
All suites that have a FW_AUTH_METHOD_MACHINE_CERT method and a wFlags field with the FW_AUTH_SUITE_FLAGS_CERT_SIGNING_ECDSA256 flag set, MUST be contiguous. The same applies to those suites that have the FW_AUTH_SUITE_FLAGS_CERT_SIGNING_ECDSA384 flag set and those suites that have neither flag set (they default to RSA signing).
The set MUST NOT have more than one suite that has the anonymous method (FW_AUTH_METHOD_ANONYMOUS), or that has the user kerb method (FW_AUTH_METHOD_USER_KERB), or that has the user ntlm method (FW_AUTH_METHOD_USER_NTLM), as defined in section 2.2.60.<18>
A set that contains a suite that has the machine certificate method MUST NOT contain suites that have the user certificate method.
A set that contains a suite that has the machine certificate method MUST only contain more suites that have machine certificate or anonymous methods.
If the set schema policy version is less than 0x214, the set MUST NOT have suites that contain the FW_AUTH_METHOD_USER_NEGOEX authentication method.