SID Compression

Credits

This articles has been nicely put together by Matthias Jarka, with input from Michael Koeppl and Katharina Suedkamp!

Thanks to Robert Stampfer and Justin Hall

 

---

 

---

Background Privilege Attribute Certificate (Sum of all SIDs, Rights and Privileges)

The PAC contains various types of authorization data including groups that the user is a member of, rights the user has, and what policies apply to the user

• Detailed information about Kerberos usage (PAC validation):
  • See Kerberos PAC Validation… what is it?
• This blog post focuses on understanding Microsoft Kerberos PAC validation. It discusses the topic from inter-operability perspective with Windows operating systems. A SMB session establishment scenario is used to illustrate how PAC validation works.
  • See Understanding Microsoft Kerberos PAC Validation

 

---

New attributes for SID compression

See: Domain Local Group Membership (http://msdn.microsoft.com/en-us/library/e55ad922-4940-432d-a253-41919d6efd24(prot.20).aspx#endNote51)

If the Resource-SID-compression-disabled bit is NOT set in the Application Server's service account's KerbSupportedEncryptionTypes and NOT set in the krbtgt's account's KerbSupportedEncryptionTypes:<66>

• The ResourceGroupDomainSid field contains the SID for the domain.
• The ResourceGroupCount field contains the number of groups in the ResourceGroupIds field.
• The ResourceGroupIds field contains the pointer to a list which is the list copied from the PAC in the TGT plus a list constructed from the domain local groups where:
  • RelativeId ([MS-PAC] section 2.2.2) contains the RID of the value pmsgOut.ppDsNames.Sid ([MS-DRSR] section 5.50).
  • Attributes ([MS-PAC] section 2.2.2) has the A, B, C and E bits set to 1, and all other bits set to zero.

 

---

Information about SID compression

MaxTokenSize and Windows 8 and Windows Server 2012

 

By default, a Windows Server 2012 KDC will always compress resource SIDs. To compress resource SIDs, the KDC stores SID of the resource domain to which the target resource is a member. Then, it inserts only the RID portion of each resource SID into the ResourceGroupIds portion of the authentication data.

 

Resource SID Compression reduces the size of each stored instance of a resource SID because the domain SID is stored once rather than with each instance. Without resource SID Compression, the KDC inserts all the SIDs added by the resource domain in the Extra-SID portion of the PAC structure, which is a list of SIDs. [MS-KILE]

 

Interoperability

Other Kerberos implementations may not understand resource group compression and therefore are not compatible. In these scenarios, you may need to disable resource group compression to allow the Windows Server 2012 KDC to interoperate with the third-party Kerberos implementation.

Resource SID compression is on by default; however, you can disable it. You disable resource SID compression on a Windows Server 2012 KDC using the DisableResourceGroupsFields registry value under the HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kdc\Parameters registry key. This registry value has a DWORD registry value type. You completely disable resource SID compression when you set the registry value to 1. The KDC reads this configuration when building a service ticket. With the bit enabled, the KDC does not use resource SID compression when building the service ticket.

 

Wrap up

There's the skinny on the Kerberos enhancements included in Windows 8 and Windows Server 2012 that specifically target large service ticket and MaxTokenSize scenarios. To summarize:

• Increased default MaxTokenSize from 12k to 48k
• New Group Policy setting to centrally manage MaxTokenSize
• New Group Policy setting to write warnings to the system event log when a service ticket exceeds a designated threshold
• New Resource SID compression to reduce the storage size of SIDs from the resource domain

 

---

Two ways of work around

(Resource SID Compression in Windows Server 2012 may cause authentication problems on NAS devices)

1. Disable Resource Group Compression on the affected machine
   1. Disable Resource Group Compression bit (0x80000) in msDS-SupportedEncryptionTypes attribute of the object in Active Directory that is the principal representing the security context of the NAS/Linux service
2. Disable Resource SID compression at all
   1. This resolution should be used only when resolution one cannot be used

 

 

---

Two scenarios and which workaround to use

Windows client to non-windows server

User logs on to a windows client and accesses a non-windows server (No SID compression possible)

1. User executes a TGS request with KDC
2. KDC checks the msDS-SupportedEncryptionTypes setting of the non-windows server and generates a TGS ticket w/o SID compression.

 

User logs on to a non-windows machine (No SID compression possible)

1. No change for TGT request against KDC as this is for the user account (Client do not need to handle that)
2. For user logon to the non-windows client a TGS request is executed
3. KDC checks the msDS-SupportedEncryptionTypes setting of the non-windows client and generates a TGS ticket w/o SID compression

 

---

References

• Kerberos PAC Validation… what is it?
• Understanding Microsoft Kerberos PAC Validation
• Domain Local Group Membership
• MaxTokenSize and Windows 8 and Windows Server 2012
• Resource SID Compression in Windows Server 2012 may cause authentication problems on NAS devices

---

See also

• KDC Resource SID Compression 

 

---