Claims support in Windows 8/2012 and newer
The following section gives a short introduction to the most important changes in the Kerberos protocol.
Kerberos authentication enhancements
The Kerberos authentication enhancements include:
- Kerberos Security Support Provider (SSP)
The main enhancement is placed in
Kerberos.dll
that includes user claims and device authorization. This functionality helps you to use your device information for authorizing access to a file or folder. - Key Distribution Center (KDC)
KDC support claims.
- Claim information within the Privilege Attribute Certificate (PAC) includes:
- PAC in Pre-Windows 2012: It contains user and group membership security identifiers
- PAC in Kerberos Ticket Granting Ticket (TGT): It contains information for a security principal and is optional for a device
- NT Token sections
The part to the right of the preceding figure shows the new authentication token (2012 Token) that can be used. The main difference is that now devices and user claims can be used to authorize access to a file or folder.
- Kerberos Armoring (FAST)
Kerberos Armoring has been officially named as Flexible Authentication Secure Tunneling (FAST) by RFC 6113.
- Compound Authentication
Compound Authentication allows Ticket Granting Service (TGS) to include two identities, User and Device.
- Token size reduction and default maximum token size of 48 KB
Warning events for large Kerberos tickets are placed under
Computer Configuration\Policies\Administrative Templates\Systems\KDC\
.Note
The maximum token size by default is 12 KB for versions till Windows 7 and Windows Server 2008 R2. If your Kerberos token becomes too large because of being a member of many groups, your users will receive error messages during login and applications that use Kerberos authentication will potentially fail.
The following figure shows the Kerberos flow in a pre-Windows 2012 file server access solution, where no claims are used in accessing a file server and traditional access controls apply.
The default configuration of Windows 8 / Windows Server 2012 and newer versions work the same as in Windows 2008 R2 and Windows 7 environments. For claims support, the administrator needs to enable it by configuring group policy settings for your client machines under Policies\Computer Configuration\Administrative Templates\System\Kerberos
.
You can define the Kerberos client support for claims, Compound Authentication, and Kerberos Armoring under Policies\Computer Configuration\Administrative Templates\System\KDC
. KDC support for claims, Compound Authentication, and Kerberos Armoring is provided in the relevant group policy setting.
The following figure shows the changed Kerberos flow with the usage of claims:
Be sure to plan enough Windows 2012 domain controllers in your Active Directory environment. Monitor the KDC AS (KDC Authentication Service) and TGS request performance counters to determine the count of domain controllers.
After claims deployment, monitor the following performance counters:
- KDC AS request with claims for domain controllers
- KDC AS requests with FAST for domain controllers
- KDC TGS requests with FAST for domain controllers
In a mixed environment, be sure to use the supported method in the group policy settings of KDC configurations for claims, Compound Authentication, and armoring to support all the legacy factors.
Furthermore, there will be no issues for your legacy clients to access file servers with the Dynamic Access Control permission, because in such a scenario the fileserver will query the Active Directory and forward the claims request to figure out which claims the users and machines have and whether your solution is working well. So the file server checks the name of the user and with that information it evaluates the access to your shared files as shown in the following screenshot:
The following figure shows the changed Kerberos flow when claims are not used: