6 Appendix A: Product Behavior
The information in this specification is applicable to the following Microsoft products or supplemental software. References to product versions include updates to those products.
Windows Releases
Windows Server 2003 operating system
Windows XP operating system
Windows Vista operating system
Windows Server 2008 operating system
Windows 7 operating system
Windows Server 2008 R2 operating system
Windows 8 operating system
Windows Server 2012 operating system
Windows 8.1 operating system
Windows Server 2012 R2 operating system
Windows 10 operating system
Windows Server 2016 operating system
Windows Server operating system
Windows Server 2019 operating system
Windows Server 2022 operating system
Windows 11 operating system
Windows Server 2025 operating system
Exceptions, if any, are noted in this section. If an update version, service pack or Knowledge Base (KB) number appears with a product name, the behavior changed in that update. The new behavior also applies to subsequent updates unless otherwise specified. If a product edition appears with the product version, behavior is different in that product edition.
Unless otherwise specified, any statement of optional behavior in this specification that is prescribed using the terms "SHOULD" or "SHOULD NOT" implies product behavior in accordance with the SHOULD or SHOULD NOT prescription. Unless otherwise specified, the term "MAY" implies that the product does not follow the prescription.
<1> Section 1.5: The configuration server URL is stored in registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Passport and, by default, contains the value "http://nexus.passport.com/rdr/pprdr.asp".
<2> Section 2.2.1: On Windows, the client sends this value to the partner server via an HTTP redirect after it receives it from the AS.
<3> Section 2.2.3: On Windows, Passport authentication server implementations include an Authentication Server-Instructed Update message with every Token Response message.
<4> Section 2.2.8: On Windows, the client processes the Partner Server Challenge message only when returned with a 302 HTTP status code.
<5> Section 2.2.9: On Windows, the client processes the tokens, which are set as cookies, as part of the message. On Windows, the client does process the Authentication-Info header in the message. On Windows, the client also does normal processing of any HTTP status codes per the HTTP standard.
<6> Section 3.1.1: On Windows, the client does store this state.
<7> Section 3.1.5.1: On Windows, the client compares the condition to the list of installed security support providers (SSPs) on the box.
<8> Section 3.1.5.2: The client always takes the values of sign-in and Pwd from its Cached User Credentials if credentials are stored there and if the prompt predicate parameter is absent from the Authentication Server Challenge message.
<9> Section 3.1.5.7: All tname parameter values sent to the client are ignored.
<10> Section 3.1.5.8: All tname parameter values sent to the client are ignored.
<11> Section 3.3.5.1: The Microsoft Passport authentication server implementation does not include any tname parameter values in its Token Response messages.
<12> Section 3.3.5.1: The Microsoft Passport authentication server includes an Authentication Server-Instructed Update message with every Token Response message.
<13> Section 3.3.5.2: The Microsoft Passport authentication server implementation does not include any tname parameter values in its Token Response messages.
The Microsoft Passport authentication server sets cookies only if cookies are not already set, or if cookies are set and the authentication server performed additional verification on the data contained in the cookies. Verification consists of verifying user account status and is Passport authentication server-specific.
<14> Section 3.3.5.2: The Microsoft Passport authentication server includes an Authentication Server-Instructed Update message with every Token Response message.