{69A692F6-134C-4B08-A059-116D0F4DBA71} azureblog.pl KDC Support for claims true 2020-06-01T17:45:51 2020-06-01T17:48:49 2020-06-01T17:49:48.6099793Z O:DAG:DAD:PAI(OA;CI;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;;CCDCLCSWRPWPDTLOSDRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;S-1-5-21-657827913-1895599540-1755036276-519)(A;CI;LCRPLORC;;;ED)(A;CI;LCRPLORC;;;AU)(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;SY)(A;CIIO;CCDCLCSWRPWPDTLOSDRCWDWO;;;CO)S:AI(OU;CIIDSA;WPWD;;f30e3bc2-9ff0-11d1-b603-0000f80367c1;WD)(OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIOIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD) S-1-5-21-657827913-1895599540-1755036276-512 AZUREBLOG\Domain Admins S-1-5-21-657827913-1895599540-1755036276-512 AZUREBLOG\Domain Admins true false S-1-5-9 NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Allow false true false true false Read 0 S-1-5-18 NT AUTHORITY\SYSTEM Allow false true false true false Edit, delete, modify security 0 S-1-5-21-657827913-1895599540-1755036276-512 AZUREBLOG\Domain Admins Allow false true false true false Edit, delete, modify security 0 S-1-5-11 NT AUTHORITY\Authenticated Users Allow false true false true false Apply Group Policy 0 S-1-5-21-657827913-1895599540-1755036276-519 AZUREBLOG\Enterprise Admins Allow false true false true false Edit, delete, modify security 0 false true 2 2 true KDC support for claims, compound authentication and Kerberos armoring Enabled This policy setting allows you to configure a domain controller to support claims and compound authentication for Dynamic Access Control and Kerberos armoring using Kerberos authentication. If you enable this policy setting, client computers that support claims and compound authentication for Dynamic Access Control and are Kerberos armor-aware will use this feature for Kerberos authentication messages. This policy should be applied to all domain controllers to ensure consistent application of this policy in the domain. If you disable or do not configure this policy setting, the domain controller does not support claims, compound authentication or armoring. If you configure the "Not supported" option, the domain controller does not support claims, compound authentication or armoring which is the default behavior for domain controllers running Windows Server 2008 R2 or earlier operating systems. Note: For the following options of this KDC policy to be effective, the Kerberos Group Policy "Kerberos client support for claims, compound authentication and Kerberos armoring" must be enabled on supported systems. If the Kerberos policy setting is not enabled, Kerberos authentication messages will not use these features. If you configure "Supported", the domain controller supports claims, compound authentication and Kerberos armoring. The domain controller advertises to Kerberos client computers that the domain is capable of claims and compound authentication for Dynamic Access Control and Kerberos armoring. Domain functional level requirements For the options "Always provide claims" and "Fail unarmored authentication requests", when the domain functional level is set to Windows Server 2008 R2 or earlier then domain controllers behave as if the "Supported" option is selected. When the domain functional level is set to Windows Server 2012 then the domain controller advertises to Kerberos client computers that the domain is capable of claims and compound authentication for Dynamic Access Control and Kerberos armoring, and: - If you set the "Always provide claims" option, always returns claims for accounts and supports the RFC behavior for advertising the flexible authentication secure tunneling (FAST). - If you set the "Fail unarmored authentication requests" option, rejects unarmored Kerberos messages. Warning: When "Fail unarmored authentication requests" is set, then client computers which do not support Kerberos armoring will fail to authenticate to the domain controller. To ensure this feature is effective, deploy enough domain controllers that support claims and compound authentication for Dynamic Access Control and are Kerberos armor-aware to handle the authentication requests. Insufficient number of domain controllers that support this policy result in authentication failures whenever Dynamic Access Control or Kerberos armoring is required (that is, the "Supported" option is enabled). Impact on domain controller performance when this policy setting is enabled: - Secure Kerberos domain capability discovery is required resulting in additional message exchanges. - Claims and compound authentication for Dynamic Access Control increases the size and complexity of the data in the message which results in more processing time and greater Kerberos service ticket size. - Kerberos armoring fully encrypts Kerberos messages and signs Kerberos errors which results in increased processing time, but does not change the service ticket size. At least Windows Server 2012, Windows 8 or Windows RT System/KDC Claims, compound authentication for Dynamic Access Control and Kerberos armoring options: Enabled Always provide claims Kerberos client support for claims, compound authentication and Kerberos armoring Enabled This policy setting controls whether a device will request claims and compound authentication for Dynamic Access Control and Kerberos armoring using Kerberos authentication with domains that support these features. If you enable this policy setting, the client computers will request claims, provide information required to create compounded authentication and armor Kerberos messages in domains which support claims and compound authentication for Dynamic Access Control and Kerberos armoring. If you disable or do not configure this policy setting, the client devices will not request claims, provide information required to create compounded authentication and armor Kerberos messages. Services hosted on the device will not be able to retrieve claims for clients using Kerberos protocol transition. At least Windows Server 2012, Windows 8 or Windows RT System/Kerberos false Registry 0 0 true Domain Controllers azureblog.pl/Domain Controllers true false