3.2.5.5 AS Exchange

The Kerberos V5 protocol specifies the AS exchange ([RFC4120] section 3.1). KILE also supports extensions to the AS exchange as specified in [Referrals-11], [RFC5349], [RFC4556], and [MS-PKCA].

The client will always include a PAC request padata type when generating an KRB_AS-REQ message. The PAC is specified in [MS-PAC].

If EnableCBACandArmor is TRUE, the client SHOULD<34> behave as follows:

1. When sending the AS-REQ, add a PA-PAC-OPTIONS [167] (section 2.2.10) padata type with the Claims bit set in the AS-REQ to request claims authorization data.

2. When receiving the KRB_AS_REP message, if the Claims bit is set in PA-SUPPORTED-ENCTYPES [165] structure (section 2.2.8), and not set in PA-PAC-OPTIONS [167] structure (section 2.2.10), the client locates a DS_BEHAVIOR_WIN2012 DC (section 3.2.5.3) and returns to step 1.

If EnableCBACandArmor is TRUE, the principal is not the computer account, and the client is running on a domain-joined computer, the Kerberos client SHOULD<35> use FAST [RFC6113] when the principal’s Realm supports FAST (section 3.2.5.4).