3.1.1.2 Service Ticket Without the User Claims

This example is applicable when the client computer uses a Windows operating system before Windows 8 operating system and uses Kerberos as authentication protocol.

Prerequisites

The following are the additional prerequisites that are required for this variant, in addition to the common prerequisites described in section 3.1:

  • The file server service has been authenticated by the KDC and has a TGT for the service account.

Initial System State

  • The identity of the client computer account has been authenticated by the Authentication Services subsystem, as described in [MS-AUTHSOD] section 2.5.5.1.

  • The identity of the user has been authenticated by the KDC and the file server, and the identity of the file server has been authenticated by the client computer, as described in [MS-AUTHSOD] section 3.3.1.

  • The file server has obtained the PAC with the group memberships, but not user claims from the client, and the SMB2 client (on the client computer) has obtained the sessionId as described in the Connecting to an SMB2 Share example in [MS-AUTHSOD] section 3.3.1.

  • The user who is running the SMB2 client application has not been authorized to the read the remote file.

  • The file server has obtained the user's access token (security context), as described in section 2.5.1.3.1.

Final System State

  • The user who is running the SMB2 client application has been authorized to read the contents of the remote file.

Sequence of Events

The following sequence diagram shows the process of reading from a file on a remote CBAC-aware SMB2 share configured with only user claims.

Reading from a file on a remote CBAC-aware SMB2 share configured with only user claims

Figure 19: Reading from a file on a remote CBAC-aware SMB2 share configured with only user claims

  1. The file server service uses the Service for User to Self (S4U2self) extension to retrieve a user claim for itself on behalf of the user. The service fills out the PA_FOR_USER structure ([MS-SFU] section 2.2.1) data structure and sends the KRB_TGS_REQ message, as described in [MS-SFU] section 3.1.5.1.1, to the KDC.

  2. The KDC processes the request, and retrieves the claims and group membership associated with the user from the account database , as specified in [MS-SFU] section 3.2.5.1.2 and [MS-KILE] section 3.3.5.6.4.6. For more information, see [MS-ADOD]. The KDC returns the service ticket for the user in the KRB_TGS_REP message. The privilege attribute certificate (PAC) that is returned in the service ticket contains the group membership information and user claims, as specified in [MS-PAC] section 3.

3-10. The steps are the same as steps 1-8 in "Service Ticket with the User and Device Claims" variant as described in section 3.1.1.1.