3.3.1.1 Account Database Extensions

  • Article

msdn link

The Kerberos V5 protocol specifies which KDCs MUST maintain a database of principals with their secret keys and corresponding supported encryption types:

  • Secret keys: KILE implementations that use Active Directory for the account database use the supplementalCredentials attribute ([MS-ADA3] section 2.287).

  • KerbSupportedEncryptionTypes: A 32-bit unsigned integer that contains a combination of flags that specify what encryption types (section 3.1.5.2) are supported by the application server, and whether compound identity (section 2.2.7) is supported.<43> KILE implementations that use Active Directory for the account database use the msDS-SupportedEncryptionTypes attribute ([MS-ADA2] section 2.473).

To support all functionality of KILE, the account database MUST be extended to support the following additional information for each principal:

  • AuthorizationDataNotRequired: A Boolean setting to control when to include a PAC in the service ticket. KILE implementations that use Active Directory for the account database use the userAccountControl attribute ([MS-ADTS] section 2.2.16) NA flag. The default is FALSE.

  • AssignedPolicy: A link to the policy. KILE implementations that use Active Directory for the account database use the msDS-AssignedAuthNPolicy attribute ([MS-ADA2] section 2.224).

  • AssignedSilo: A link to the silo. KILE implementations that use Active Directory for the account database use the msDS-AssignedAuthNPolicySilo attribute ([MS-ADA2] section 2.226).

  • Illustrative KDC pseudo variables

    • BelongsToSilo: A KDC pseudo variable that is a Boolean variable used for illustrative purposes in the processing instructions of section 3.3.5.4 and section 3.3.5.5. The value of BelongsToSilo is not persisted across client requests. The KDC sets BelongsToSilo value based on processing rules in section 3.3.5.4 to determine an account's Authentication Policy Silo membership. If TRUE, then the account belongs to an AssignedSilo. If BelongsToSilo is FALSE, and AssignedPolicy is not NULL, the account belongs to an AssignedPolicy.

  • The KDC sets the following pseudo variables based on processing rules in section 3.3.5.5, for account types (<acctype>): User ([MS-ADSC] section 2.268),  Service (ManagedServiceAccount [MS-ADSC] section 2.141), or Computer ([MS-ADSC] section 2.21):

    • PolicyName: A pseudo variable for the KDC's counterpart of the relative distinguished name (RDN) in msDS-<acctype>AuthNPolicy.RDN ([MS-ADA2] section 2.224). The KDC sets the value to one of the following:

      • AssignedSilo.msDS-<acctype>AuthNPolicy.RDN ([MS-ADSC] section 2.121), 

      • AssignedPolicy.RDN ([MS-ADSC] section 2.120), or

      • NULL.

    • Enforced: A pseudo variable for a Boolean variable that is the KDC's counterpart of msDS-AuthNPolicyEnforced ([MS-ADA2] section 2.230). The KDC sets the value to either of the folowing:

      • AssignedSilo.msDS-AuthNPolicyEnforced ([MS-ADSC] section 2.121), or

      • FALSE.

    • TGTLifetime: A pseudo variable for the KDC's counterpart of msDS-<acctype>TGTLifetime ([MS-ADA2] section 2.497 User, section 2.464 Service, and section 2.297 Computer), used in msDS-AuthNPolicy ([MS-ADSC] section 2.120). The KDC sets the value to either of the following:

      • AssignedSilo.msDS-<acctype>AuthNPolicy.msDS-<acctype>TGTLifetime, or

      • AssignedPolicy.msDS-<acctype>AuthNPolicy.msDS-<acctype>TGTLifetime.

    • AllowedToAuthenticateTo: A pseudo variable for the KDC's counterpart of
      msDS-<acctype>AllowedToAuthenticateTo ([MS-ADA2] section 2.493), used in msDS-AuthNPolicy [MS-ADSC] section 2.120). The KDC sets the value to either of the following:

      • AssignedSilo.msDS-<acctype>AuthNPolicy.msDS-<acctype>AllowedToAuthenticateTo, or

      • AssignedPolicy.msDS-<acctype>AuthNPolicy.msDS-<acctype>AllowedToAuthenticateTo

    • AllowedToAuthenticateFrom: A pseudo variable for the KDC's counterpart of
      msDS-<User/Service>AuthNPolicy.msDS-<User/Service>AllowedToAuthenticateFrom ([MS-ADA2] section 2.492 User, and section 2.460 Service, used in [MS-ADSC] section 2.120). The KDC sets the value to one of the following:

      • AssignedSilo.msDS-<User/Service>AuthNPolicy.msDS-<User/Service>AllowedToAuthenticateFrom,

      • AssignedPolicy.msDS-<User/Service>UserAuthNPolicy.msDS-<User/Service>AllowedToAuthenticateFrom, or

      • NULL

  • DelegationNotAllowed: A Boolean setting to prevent PROXIABLE or FORWARDABLE ticket flags ([RFC4120] sections 2.5 and 2.6) in tickets for the principal. KILE implementations that use Active Directory for the account database use the userAccountControl attribute ([MS-ADTS] section 2.2.16) ND flag. The default is FALSE.

  • Disabled: A Boolean setting to control when the account is disabled. KILE implementations that use Active Directory for the account database use the userAccountControl attribute ([MS-ADTS] section 2.2.16) D flag. The default is FALSE.

  • Expired: A Boolean setting to control when the password has expired. KILE implementations that use Active Directory for the account database use the userAccountControl attribute ([MS-ADTS] section 2.2.16) PE flag. The default is FALSE.

  • GroupMembership: A list of GROUP_MEMBERSHIP structures ([MS-PAC] section 2.2.2) that contain the groups to which the account belongs in the realm.

  • Locked: A Boolean setting to control when the account is locked out. KILE implementations that use Active Directory for the account database use the userAccountControl attribute ([MS-ADTS] section 2.2.16) L flag. The default is FALSE.

  • LogonHours: A binary value with the SAMPR_LOGON_HOURS structure ([MS-SAMR] section 2.2.6), indicating a logon policy describing the time periods during which the user can authenticate. KILE implementations that use Active Directory for the account database use the logonHours attribute ([MS-ADA1] section 2.376).

  • PasswordMustChange: A FILETIME value indicating when the password must change. Setting to 0x7FFFFFFF FFFFFFFF never requires password change. KILE implementations that use Active Directory for the account database generate the value with the same method as the SAM ([MS-SAMR] section 3.1.5.14.4). The default is 0.

  • Pre-AuthenticationNotRequired: A Boolean setting to control when pre-authentication data is required. KILE implementations that use Active Directory for the account database use the userAccountControl attribute ([MS-ADTS] section 2.2.16) DR flag. The default is 0.

  • TrustedForDelegation: A Boolean setting to control when to set the OK-AS-DELEGATE ticket flag ([RFC4120] section 2.8) in tickets for the principal. KILE implementations that use Active Directory for the account database use the userAccountControl attribute ([MS-ADTS] section 2.2.16) TD flag. The default is FALSE.

  • UseDESOnly: A Boolean setting to control when only the des-cbc-md5 and/or des-cbc-crc keys [RFC3961] are used in the Kerberos exchanges for this account. KILE implementations that use Active Directory for the account database use the userAccountControl attribute ([MS-ADTS] section 2.2.16) DK flag. The default is FALSE.

For KILE implementations that use Active Directory for the account database, the previous Boolean settings are accessible in the userAccountControl attribute ([MS-ADTS] section 2.2.16):

  • D flag: Disabled

  • DK flag: UseDESOnly

  • DR flag: Pre-AuthenticationNotRequired

  • L flag: Locked

  • NA flag: AuthorizationDataNotRequired

  • ND flag: DelegationNotAllowed

  • PE flag: Expired

  • TA flag: TrustedToAuthenticationForDelegation

  • TD flag: TrustedForDelegation