3.4.5.3 Processing Authorization Data

Kerberos V5 specifies rules for processing the authorization data field in [RFC4120] section 5.2.6.

KILE MUST unpack the authorization data field and look for an AD-WIN2K-PAC structure ([RFC4120] section 7.5.4). If the structure is valid as defined in [MS-PAC], the server MUST verify the server signature. To verify the server signature, the Signature field values are removed from the PAC buffer and replaced with zeros. Then the hash is generated [RFC4757] and the resulting hash is compared with the server signature ([MS-PAC] section 2.8.4) Signature field value. If the PAC is valid, it is used as the authorization information.

The server MUST search all AD-IF-RELEVANT containers for the KERB_AUTH_DATA_TOKEN_RESTRICTIONS (141) and KERB_AUTH_DATA_LOOPBACK (142) authorization data entries. The server MAY<80> search all AD-IF-RELEVANT containers for all other authorization data entries. The server MUST check if KERB-AD-RESTRICTION-ENTRY.Restriction.MachineID (section 2.2.6) is equal to machine ID (section 3.1.1.4):

  • If equal, the server processes the authentication as a local one, because the client and server are on the same machine, and can use the KERB-LOCAL structure (section 2.2.4) AuthorizationData for any local implementation purposes.

  • Otherwise, the server MUST ignore the KERB_AUTH_DATA_TOKEN_RESTRICTIONS (141) Authorization Data Type, the KERB-AD-RESTRICTION-ENTRY structure (section 2.2.6), the KERB-LOCAL (142), and the containing KERB-LOCAL structure (section 2.2.4).

For KILE implementations that use a security identifier (SID)-based authorization model, the server populates the User SID and Security Group SIDs in the ImpersonationAccessToken parameter (section 3.4.1) as follows:

  • Concatenate LogonDomainId and UserId [MS-PAC] section 2.5), add to the ImpersonationAccessToken.Sids array, and set the ImpersonationAccessToken.UserIndex field to this index.

  • Concatenate LogonDomainId and PrimaryGroupId ([MS-NRPC] sections 2.2.1.4.11, 2.2.1.4.12, and 2.2.1.4.13), add the result to the ImpersonationAccessToken.Sids array, and set the ImpersonationAccessToken.PrimaryGroup field to this index.

  • For each GroupIds ([MS-PAC] section 2.2.2), concatenate LogonDomainId ([MS-PAC] section 2.5) and GroupIds.RelativeID and add to the ImpersonationAccessToken.Sids array.

  • For each ExtraSids ([MS-PAC] section 2.2.2), add the ExtraSids.Sid to the ImpersonationAccessToken.Sids array.

  • If a PAC_CLIENT_CLAIMS_INFO structure ([MS-PAC] section 2.11) and CLAIMS_VALID SID ([MS-DTYP] section 2.4.2.4) are in KERB_VALIDATION_INFO.ExtraSids, then the server SHOULD<81> set the ImpersonationAccessToken.UserClaims field to the value of the Claims field.

  • If a PAC_DEVICE_INFO structure ([MS-PAC] section 2.12) and COMPOUNDED_AUTHENTICATION SID ([MS-DTYP] section 2.4.2.4) are in KERB_VALIDATION_INFO.ExtraSids, then the server SHOULD<82> populate the User SID and Security Group SIDs in the ImpersonationAccessToken.DeviceSids array (section 3.4.1) as follows:

    • Concatenate the AccountDomainId and PrimaryGroupId ([MS-PAC] section 2.12) fields, add the result to the ImpersonationAccessToken.DeviceSids array, and set the ImpersonationAccessToken.DevicePrimaryGroup field to the index of the newly added SID.

    • For each AccountGroupIds ([MS-PAC] section 2.5), concatenate AccountDomainId  and AccountGroupIds.DevieRelativeID ([MS-PAC] section 2.2.2) and add to the ImpersonationAccessToken.DeviceSids array.

    • For each ExtraSids ([MS-PAC] section 2.5), add the ExtraSids.Sid to the ImpersonationAccessToken.DeviceSids array.

    • For each DomainGroup: for each DomainGroup.DomainId ([MS-PAC] section 2.2.3), concatenate DomainGroup.DomainId and DomainGroup.GroupIds.RelativeID ([MS-PAC] section 2.2.2) and add to the ImpersonationAccessToken.DeviceSids array.

  • If CLAIMS_VALID SID is in PAC_DEVICE_INFO.ExtraSids and COMPOUNDED_AUTHENTICATION SID ([MS-DTYP] section 2.4.2.4) is in KERB_VALIDATION_INFO.ExtraSids, then the server sets ImpersonationAccessToken.DeviceClaims to Claims.

The server calls GatherGroupMembershipForSystem ([MS-DTYP] section 2.5.2.1.1) where InitialMembership contains the ImpersonationAccessToken.Sids array and sets ImpersonationAccessToken.Sids array to FinalMembership.

The server calls AddPrivilegesToToken ([MS-DTYP] section 2.5.2.1.2) where Token contains ImpersonationAccessToken.

Other SIDs can be added to the ImpersonationAccessToken following authentication (see [MS-DTYP] section 2.7.1).