Share via

Kerberos Group Membership Protocols Scenario

  • Article

Describes the structure of AD group membership authorization data carried in the field of a Kerberos ticket for use by servers in performing access control.

Specification

Description

[MS-CTA]: Claims Transformation Algorithm

Specifies the Claims Transformation Algorithm (CTA), which consists of two components: a grammar describing a transformation rules language and an algorithm for transforming input claims into output claims. A claim is an assertion about a user identity in the form of a name-value tuple. Sets of claims are transformed from sending authority formats to receiving authority formats at authentication trust traversal boundaries.

[MS-GPCAP]: Group Policy: Central Access Policies Protocol Extension

Specifies the Group Policy: Central Access Policies Extension, which provides the means of configuring central access policies that are applied to Group Policy client computer resources for authorization purposes.

[MS-KILE]: Kerberos Protocol Extensions

Specifies the Microsoft implementation of the Kerberos Protocol Extensions, as specified in [RFC4120], by specifying any Windows behaviors that differ from the Kerberos Protocol, in addition to Windows extensions for interactive logon and the inclusion of authorization information expressed as group memberships and related information.

[MS-PAC]: Privilege Attribute Certificate Data Structure

Specifies the Privilege Attribute Certificate Data Structure, which is used to encode authorization information. The Privilege Attribute Certificate also contains memberships, additional credential information, profile and policy information, and supporting security metadata.

[MS-RAA]: Remote Authorization API Protocol

Specifies the Remote Authorization API Protocol, which is used to perform “what-if” authorization queries on remote computers. It allows applications to simulate an access control decision that would be made when a principal attempts to access a remote resource protected with an authorization policy.

[MS-SFU]: Kerberos Protocol Extensions: Service for User and Constrained Delegation Protocol Specification

Specifies the Kerberos Protocol Extensions: Service for User and Constrained Delegation Protocol, which are two extensions to the Kerberos protocol as developed by Microsoft. These two extensions, collectively known as Service for User (S4U), enable an application service to obtain a Kerberos service ticket on behalf of a user.