2.1.4.1.3 Digest Protocol Extensions

The identity of the application client has been authenticated using the [MS-DPSP] and [MS-APDS] protocols, as described in [MS-AUTHSOD] section 2.1.2.4. After authentication, the domain controller  creates and sends back the DIGEST_VALIDATION_RESP message ([MS-APDS]section 2.2.3.2) with authorization information in the Privilege Access Certificate (PAC) for the user's account.

The next step of the application server is to verify the access permissions of the user. The application server contacts the authorization system to get the access token by submitting the user's authorization information received from the DC. The authorization system builds the access token with the user's authorization information, local security groups from the security accounts manager (SAM) database, and privileges and logon rights from the Local Security Authority (LSA) database, and returns the access token to the application server.

The application server impersonates the user with the user's access token, and invokes the access check function in the authorization system through the object’s resource manager by passing the access token, access mask, and security descriptor of the requested object. The authorization system executes the access check algorithm, as described in [MS-DTYP] section 2.5.3.2, to verify whether the requested identity has sufficient access permissions to access the requesting object.