Understanding claims
Before we define what a claim is, we need to talk about identities. We can say that identity is a set of information that can uniquely identify anything and contains information about the subject's relationships to other entities. Identities, in general, are verified by using a trusted source of information. We can say a digital identity is a set of information to identify a person.
Now that we have defined the term identity, we can discuss a few examples about claims in the real and technical world. In general, claims are statements about an identity:
- Passport: It is a common example; if you want to fly, you need to show your passport that contains information such as your name, address, date of birth, and a biometric photo. Each item is a claim made about you by the country issuing your passport. Your country ensures that the information in your passport is correct and can be trusted by other countries.
- Bartender: In theory, he should check if you are of the required minimum age before serving alcohol. The only claim he is interested in is your age and the document is checked by him.
- Certification authority: Digital certificates include claims such as the subject, certificate thumbprint, or a distinguished name, and the certificate gets verified by a trusted certificate authority.
- Active Directory: In this, claims are statements about a specific object such as a user or computer. Some examples are the user's department, his title, or whether the computer is managed or not.
Before Windows Server 2012, it was only possible to authenticate and authorize with Security Identifier (SID), and security groups that represented the identity of a user or a computer used in Access Control Entry (ACE). Windows Server 2012 extends this limitation with the support of conditional expressions. Now you can use user claims and device claims for file and folder authorization in addition to NTFS permissions based on users' or groups' SIDs.
With Dynamic Access Control, we can use three types of claims:
- User claims: It provides information about a user
- Device claims: It provides information about a computer
- Transformation claims: It is used in claim transformation policies to transform the claims exiting or entering a trusted forest
An issued claim has three characteristics or properties and needs to be conformed with the following syntax:
- The claim identifier must start with
ad://ext/and must be unique - Up to 32 characters may follow the claim identifier
- The 32 characters may not contain spaces, \, *, ?, ", <, >, and |
- It cannot end with a forward slash (/)
The following screenshot shows the default behavior on a client:
On the domain controller you can check the configuration of the krbtgt account:
- Claims are not used with msDS-SupportedEncryptionTypes set to 0x0 = ( ) as shown in the following screenshot:
- Claims will be used with msDS-SupportedEncryptionTypes set to 0x50000 = (0x50000)
To enable claims support you need to create at least two group policies with some standard settings. On your domain controller, a policy with the following settings needs to be applied:
On your client computer, a policy with the following settings needs to be applied:
Use gpupdate/force to refresh your Group Policy settings on your domain controller and your client computer, to test the functionality immediately.
By configuring the first claim type in Active Directory Administrative Center and populating the Department attribute for the user in Active Directory, we receive our first result as shown in the following screenshot:
The result on the user side looks like the following screenshot:
The following default data types for claims are valid:
- Boolean: It is a true/false integer-based data type
- Multi-valued String: These are one or more string values
- Multi-valued Unsigned Integer: These are one or more positive integer values
- Security Identifier: These are one or more security identifiers
- String: These are literal alphanumeric characters
- Unsigned Integer: This is a positive numerical value