6 Appendix A: Product Behavior
The information in this specification is applicable to the following Microsoft products or supplemental software. References to product versions include updates to those products.
The terms "earlier" and "later", when used with a product version, refer to either all preceding versions or all subsequent versions, respectively. The term "through" refers to the inclusive range of versions. Applicable Microsoft products are listed chronologically in this section.
The following tables show the relationships between Microsoft product versions or supplemental software and the roles they perform.
|
Windows Client release |
OAuthBrokerExtension Client role |
OAuthBrokerExtension Server role |
|---|---|---|
|
Windows 10 v1511 operating system |
Yes |
No |
|
Windows 11 operating system |
Yes |
No |
|
Windows Server release |
OAuthBrokerExtension Client role |
OAuthBrokerExtension Server role |
|---|---|---|
|
Windows Server 2016 operating system |
Yes |
Yes |
|
Windows Server operating system |
No |
Yes |
|
Windows Server 2019 operating system |
Yes |
Yes |
|
Windows Server 2022 operating system |
No |
Yes |
|
Windows Server 2025 operating system |
No |
Yes |
Exceptions, if any, are noted in this section. If an update version, service pack or Knowledge Base (KB) number appears with a product name, the behavior changed in that update. The new behavior also applies to subsequent updates unless otherwise specified. If a product edition appears with the product version, behavior is different in that product edition.
Unless otherwise specified, any statement of optional behavior in this specification that is prescribed using the terms "SHOULD" or "SHOULD NOT" implies product behavior in accordance with the SHOULD or SHOULD NOT prescription. Unless otherwise specified, the term "MAY" implies that the product does not follow the prescription.
<1> Section 2.2.2.1: Even though AD_FS_BEHAVIOR_LEVEL_3 is supported on Windows Server 2016, the krctx parameter and the "winhello_cert_kr" value are supported on Windows Server 2016 only if [MSKB-4088889] is installed.
<2> Section 3.1.5.1.3.3: This protocol now supports KDF Version 2 for creating derived keys, which is used by clients to create a signed JWT. KDF Version 2 is supported on the operating systems specified in [MSFT-CVE-2021-33781], each with its related KB article download installed.
<3> Section 3.1.5.1.4: The POST (Exchange Primary Refresh Token for User Authentication Certificate) method is not supported in Windows 10 v1511 or Windows 10 v1607 operating system. This method is exercised in Windows 10 v1703 operating system and later only if [MSKB-4022723] is installed on Windows Server 2016 or if a later version of the product is being used for the server role.
<4> Section 3.2.5.1.2.1: Windows clients use the identifier "38aa3b87-a06d-4817-b275-7a316988d93b" to represent the broker client.
<5> Section 3.2.5.1.2.3: The Windows implementation of the AD FS server verifies that the nonce was issued within the last 10 minutes.
<6> Section 3.2.5.1.4: The POST (Exchange Primary Refresh Token for User Authentication Certificate) method is not supported in Windows Server 2016 without [MSKB-4022723] installed.
<7> Section 3.2.5.2.1.1.1: The default value is "windows" for the Windows platform.
<8> Section 3.2.5.2.1.1.1: The win_ver value is the Windows version information.
<9> Section 3.2.5.2.1.1.2: The Windows implementation of the client role supplies the values specified for grant_type and iss, but the Windows implementation of the server role ignores them.
<10> Section 3.2.5.2.1.1.2: The default value is "windows" for the Windows platform.
<11> Section 3.2.5.2.1.1.2: The win_ver value is the Windows version information.
<12> Section 3.2.5.2.1.3: The Windows implementation of the AD FS server verifies that the nonce was issued within the last 10 minutes.
<13> Section 3.2.5.2.1.3: The Windows implementation of the AD FS server verifies that the nonce was issued within the last 10 minutes.