Learning Microsoft Windows Server 2012 Dynamic Access Control
上QQ阅读APP看书,第一时间看更新

Claims support in Windows 8/2012 and newer

The following section gives a short introduction to the most important changes in the Kerberos protocol.

Kerberos authentication enhancements

The Kerberos authentication enhancements include:

  • Kerberos Security Support Provider (SSP)

    The main enhancement is placed in Kerberos.dll that includes user claims and device authorization. This functionality helps you to use your device information for authorizing access to a file or folder.

  • Key Distribution Center (KDC)

    KDC support claims.

  • Claim information within the Privilege Attribute Certificate (PAC) includes:
    • PAC in Pre-Windows 2012: It contains user and group membership security identifiers
    • PAC in Kerberos Ticket Granting Ticket (TGT): It contains information for a security principal and is optional for a device
  • NT Token sections
Kerberos authentication enhancements

The part to the right of the preceding figure shows the new authentication token (2012 Token) that can be used. The main difference is that now devices and user claims can be used to authorize access to a file or folder.

  • Kerberos Armoring (FAST)

    Kerberos Armoring has been officially named as Flexible Authentication Secure Tunneling (FAST) by RFC 6113.

  • Compound Authentication

    Compound Authentication allows Ticket Granting Service (TGS) to include two identities, User and Device.

  • Token size reduction and default maximum token size of 48 KB

    Warning events for large Kerberos tickets are placed under Computer Configuration\Policies\Administrative Templates\Systems\KDC\.

    Note

    The maximum token size by default is 12 KB for versions till Windows 7 and Windows Server 2008 R2. If your Kerberos token becomes too large because of being a member of many groups, your users will receive error messages during login and applications that use Kerberos authentication will potentially fail.

The following figure shows the Kerberos flow in a pre-Windows 2012 file server access solution, where no claims are used in accessing a file server and traditional access controls apply.

Kerberos authentication enhancements

The default configuration of Windows 8 / Windows Server 2012 and newer versions work the same as in Windows 2008 R2 and Windows 7 environments. For claims support, the administrator needs to enable it by configuring group policy settings for your client machines under Policies\Computer Configuration\Administrative Templates\System\Kerberos.

You can define the Kerberos client support for claims, Compound Authentication, and Kerberos Armoring under Policies\Computer Configuration\Administrative Templates\System\KDC. KDC support for claims, Compound Authentication, and Kerberos Armoring is provided in the relevant group policy setting.

Note

If device claims are enabled in a Dynamic Access Control solution, Windows 8 Client or Windows Server 2012 and newer will always use Windows 2012 or newer domain controllers to request the Kerberos tickets.

The following figure shows the changed Kerberos flow with the usage of claims:

Kerberos authentication enhancements

Be sure to plan enough Windows 2012 domain controllers in your Active Directory environment. Monitor the KDC AS (KDC Authentication Service) and TGS request performance counters to determine the count of domain controllers.

After claims deployment, monitor the following performance counters:

  • KDC AS request with claims for domain controllers
  • KDC AS requests with FAST for domain controllers
  • KDC TGS requests with FAST for domain controllers

In a mixed environment, be sure to use the supported method in the group policy settings of KDC configurations for claims, Compound Authentication, and armoring to support all the legacy factors.

Furthermore, there will be no issues for your legacy clients to access file servers with the Dynamic Access Control permission, because in such a scenario the fileserver will query the Active Directory and forward the claims request to figure out which claims the users and machines have and whether your solution is working well. So the file server checks the name of the user and with that information it evaluates the access to your shared files as shown in the following screenshot:

Kerberos authentication enhancements

Note

The access-denied messages are only available on Windows 8 / Windows Server 2012 and newer versions.

The following figure shows the changed Kerberos flow when claims are not used:

Kerberos authentication enhancements