Partilhar via


3.3.1 Abstract Data Model

This section describes a conceptual model of possible data organization that an implementation maintains to participate in this protocol. The described organization is provided to facilitate the explanation of how the protocol behaves. This document does not mandate that implementations adhere to this model as long as their external behavior is consistent with that described in this document.

KILE uses the abstract data model and default values specified in Kerberos V5, except for the following default configuration values ([RFC4120] section 8.2):

  • Minimum lifetime: 0 minutes.

  • MaxRenewAge: A 64-bit signed integer containing the maximum renewable lifetime. KILE implementations, which use the LSAD for the configuration database, can directly access the MaxRenewAge field in the Kerberos Policy Information ([MS-LSAD] section 3.1.1.1).

  • MaxClockSkew: A 64-bit signed integer containing the Acceptable clock skew. KILE implementations, which use the LSAD for the configuration database, can directly access the MaxClockSkew field in the Kerberos Policy Information.

The maximum ticket lifetime is configured separately for TGTs and service tickets:

  • MaxServiceTicketAge: A 64-bit signed integer containing the maximum service ticket lifetime. KILE implementations, which use the LSAD for the configuration database, can directly access the MaxServiceTicketAge field in the Kerberos Policy Information. The default is 10 hours.

  • MaxTicketAge: A 64-bit signed integer containing the maximum TGT lifetime. KILE implementations, which use the LSAD for the configuration database, can directly access the MaxTicketAge field in the Kerberos Policy Information. The default is 10 hours.

KILE also adds the following new KDC configuration setting:

  • AuthenticationOptions: A 32-bit unsigned integer containing the POLICY_KERBEROS_VALIDATE_CLIENT flag ([MS-LSAD] section 2.2.4.19). KILE implementations, which use the LSAD for the configuration database, can directly access the AuthenticationOptions field in the Kerberos Policy Information. Only the POLICY_KERBEROS_VALIDATE_CLIENT flag is supported and set by default.

  • ClaimsCompIdFASTSupport: A registry key for the KDC configuration setting. This 32-bit unsigned integer SHOULD<41> be used as follows:

    • If set to 0, there are no new behaviors.

    • If set to 1, the KDC supports claims, compound identity, and FAST and other KDCs in the domain do not.

    • If set to 2, all KDCs in the domain support claims, compound identity, and FAST.

    • If set to 3, all KDCs in the domain support claims and compound identity and enforce FAST.

    The implementation SHOULD<42> also expose the key and value at the specified registry path.

KILE implementations that use Active Directory for the account database support the following variables:

  • NetbiosServerName: The NetBIOS name for the server. This Abstract Data Model element is shared with ComputerName.NetBIOS ([MS-WKST] section 3.2.1.2).

  • NetbiosDomainName: The NetBIOS domain name for the domain to which the server belongs. This Abstract Data Model element is shared with DomainName.NetBIOS ([MS-WKST] section 3.2.1.6).

  • DomainSid: A security identifier (SID) for the domain. This Abstract Data Model element is shared with DomainSid ([MS-WKST] section 3.2.1.6).