2.1.4.1.1 Kerberos Protocol Extensions

The following diagram shows the protocol interactions when using Kerberos Protocol Extensions (KILE) (see [MS-KILE]) or Public Key Cryptography for Initial Authentication (PKCA) (see [MS-PKCA]) as the authentication protocol.

Protocol interactions when the authentication protocol is KILE or PKCA

Figure 8: Protocol interactions when the authentication protocol is KILE or PKCA

The identity of the Kerberos application client has been authenticated using either the KILE or PKCA protocol and has obtained the service ticket for the Kerberos application server, as described in [MS-AUTHSOD] section 2.1.2.3. The Kerberos application client submits the service ticket along with the user's authorization information, as described in [MS-PAC], in a KRB_AP_REQ message to the Kerberos application server using an application-specific protocol.

The Kerberos application server validates the received KRB_AP_REQ message to verify the identity of the requesting user, and if the verification succeeds, then the Kerberos application server validates the Server Signature ([MS-PAC] section 2.8.1) in the Privilege Access Certificate (PAC), as described in [MS-PAC]. If tampering with the PAC could result in inappropriate elevation of privileges, then in addition to validating the server signature, the Key Distribution Center (KDC) signature will be validated. If PAC validation is required (see [MS-APDS] for the requirements of PAC validation), then the authorization system forwards the PAC signature in the KRB_AP_REQ message to the domain controller for verification in a KERB_VERIFY_PAC message as described in [MS-APDS] section 3.2, or else it directly proceeds to construct the access token. The authorization system constructs the access token with the group membership information from PAC, local security groups from the security accounts manager (SAM) database, and privileges and logon rights from the Local Security Authority (LSA) database.

The application server impersonates the user using this access token and invokes the access check function in the authorization system (through the resource manager) by passing the access token, access mask, and security descriptor of the requested object. The authorization system executes the access check algorithm, as described in [MS-DTYP] section 2.5.3.2, to verify whether the requested identity has sufficient access permissions to access the object.