Information Technology Reference
In-Depth Information
Windows Server implements Kerberos v5 with the authentication client implemented as a
security support provider (SSP). Initial user authentication is integrated with the Winlogon
single sign-on (SSO) architecture. The Kerberos Key Distribution Center (KDC) is integrated in
the domain controller. The KDC uses AD DS as its security account database. In Windows 8x
and Windows Server 2012 and Windows Server 2012 R2, Kerberos authentication is proxied
through DirectAccess or Remote Desktop Services.
New Group policy settings
Windows Server 2012 and Windows Server 2012 R2 include a new Kerberos administrative tem-
plate policy with GPO settings to configure Kerberos. These settings are shown in Table 5-1.
TABLE 5-1
New administrative template policy settings
Policy
Description
Set maximum Kerberos SSPI context
token buffer size
Sets the return value for applications that request the maximum
size of the authentication context token buffer. The recommend-
ed size is 48,000 bytes.
Warning events for large Kerberos
tickets
Sets the warning threshold for large Kerberos tickets. The default
is 12,000 bytes to issue an Event ID 31 if this policy is not enabled.
KDC support for claims, compound
authentication, and Kerberos
armoring
Enables a domain controller to support claims and compound
authentication for Dynamic Access Control (DAC) and Kerberos
armoring.
Kerberos client support for claims,
compound authentication, and
Kerberos armoring
Enables configuration of devices running Windows 8x to support
claims and compound authentication. When enabled, devices fail
authentication if they can't reach a domain controller.
Support compound authentication
When configured, you can set to Never, Automatic, or Always.
Fail authentication requests when
Kerberos armoring is not available
When enabled, client computers require that Kerberos message
exchanges be armored when communicating with a domain
controller.
In Windows Server 2012 and Windows Server 2012 R2, resource-based Kerberos con-
strained delegation can be used to provide constrained delegation when front-end services
and back-end resources are not in the same domain. Constrained delegation restricts a server
to act on behalf of a user for only specific services. To configure a resource service to allow a
front-end server to act on behalf of users, use the -PrincipalsAllowedToDelegateToAccount
parameter of the New and Set verbs of the ADComputer, ADServiceAccount, and ADUser
cmdlets. Use the Get verb for the cmdlets with the -PrincipalsAllowedToDelegateToAccount
parameter to retrieve a list of principals.
