4.1.2.2 SID Filtering and Claims Transformation

  • Article

A PAC from a cross-realm TGT needs to be parsed and analyzed. The type and stringency of the analysis is determined by the type and quality of inter-domain trust from which the TGT originates. The different types of trusts are qualified based on their different SID filtering and claims transformation requirements. Different trust boundaries apply to each trust type, as specified in the following table.<31>

Trust boundary type

Description

Member

The member boundary filters SIDs that are in the AlwaysFilter group as well as anything that has the prefix of the member server.

WithinDomain

Within a domain, each domain controller trusts every other domain controller.

WithinForest

Within a forest, there are parent/child trust relationships and shortcut trust relationships between the domains in the forest. Each domain controller trusts every other domain controller within the forest.

QuarantinedWithinForest

A parent-child trust between a leaf domain in a forest and its parent can be marked as quarantined. The only SIDs that are allowed to be passed from such a domain are the "Enterprise Domain Controllers" (S-1-5-9) SID and those described by the trusted domain object (TDO).

CrossForest

One forest can transitively trust all of the domains in another forest. A cross-forest trust allows all the SIDs from the domains in the other forest to pass, and does not allow SIDs that are local to its forest to come over a cross-forest trust. A trusting domain SHOULD<32> transform claims ([MS-ADTS] section 3.1.1.11.2.11) to ensure that incoming claims that match claims local to its forest are explicitly allowed.

External

A domain can trust a domain outside the forest. The trusting domain does not allow SIDs that are local to its forest to come over an external trust.  A trusting domain SHOULD<33> transform claims ([MS-ADTS] section 3.1.1.11.2.11) to ensure that incoming claims that match claims local to its forest are explicitly allowed.

QuarantinedExternal

The only SIDs that are allowed to be passed from a quarantined external domain are those of the trusted domain.

PrivilegedIdentityManagement (PIM)

A domain can be externally managed by a domain that is outside the forest.<34> The trusting domain allows SIDs that are local to its forest to come over a PrivilegedIdentityManagement trust. A trusting domain transforms claims ([MS-ADTS] section 3.1.1.11.2.11) to ensure that incoming claims that match claims local to its forest are explicitly allowed.

SIDs are categorized into the following classes. They follow the rules of their class when crossing a trust boundary.

Action

Rules

AlwaysFilter

This rule is for those SIDs that are not allowed across any trust boundaries.

ForestSpecific

The ForestSpecific rule is for those SIDs that are never allowed in a PAC that originates from out of the forest or from a domain that has been marked as QuarantinedWithinForest, unless it belongs to that domain.

SIDs in this category is filtered out for QuarantinedWithinForest, CrossForest, External, and QuarantinedExternal trust boundaries.

EDC

The EDC rule applies only to the well-known enterprise domain controller SID (as specified in [MS-ADTS] section 6.1.1.2.6.9). This SID is filtered out for CrossForest, External, QuarantinedExternal, and PrivilegedIdentityManagement trust boundaries.

DomainSpecific

The DomainSpecific rule applies for those SIDs that are relative to the authority processing the PAC, referred to here as the "local domain". This category of SID is filtered out of a PAC entering the local domain. That is, if a domain controller encounters SIDs in a PAC that appear to be from its own domain, it filters them out. Likewise, for a single machine, if an incoming PAC contains SIDs from its local domain, they are filtered out.

All of the SIDs in this category are of the form S-1-5-21-<Domain>-<ConstantRid>. Such accounts represent well-known accounts in Domain.

There are three rules of processing for this category:

  • SIDs are filtered by comparing the SID from the PAC with the SID of the local domain. If they match and the ConstantRid matches one of the constant RIDs for this category, then the SID is removed from the PAC.

  • For each SID in the PAC, if the SID does not match the LogonDomainId in the PAC, and the SID is in this category, the SID is removed from the PAC.

  • For CrossForest and External trusts, if the LogonDomainId in the PAC is for a domain within the local forest, then the attempt to cross the trust boundary by the authentication protocol fails, as the authorization data is invalid.

NeverFilter

Never filter any SIDs from this category.

The following table shows the correlation between SIDs and trust boundaries, representing the effective behavior of SID filtering on PAC authorization data.

The "SID pattern" column lists a particular SID. There are cases where a set of SIDs is represented by a single row in the table. For instance, the syntax S-1-5-* means the set of version 1 SIDs with authority 5 that have not been explicitly mentioned elsewhere in the table.

The Description column describes the characteristics of the SID pattern. The Action column describes the SID filtering action, as described in the preceding table.<35>

SID pattern

Description of the pattern

Action

S-1-0-0

Null SID

AlwaysFilter

S-1-1-0

Everyone

AlwaysFilter

S-1-2-0

Local

AlwaysFilter

S-1-3-0

Creator Owner

AlwaysFilter

S-1-3-1

Creator Group

AlwaysFilter

S-1-3-2

Creator Owner Server

AlwaysFilter

S-1-3-3

Creator Group Server

AlwaysFilter

S-1-4

NonUnique Authority

NeverFilter

S-1-5

NT Authority

AlwaysFilter

S-1-5-1

Dialup

AlwaysFilter

S-1-5-2

Network

AlwaysFilter

S-1-5-3

Batch

AlwaysFilter

S-1-5-4

Interactive

AlwaysFilter

S-1-5-5-*

LogonId

AlwaysFilter

S-1-5-6

Service

AlwaysFilter

S-1-5-7

Anonymous Logon

AlwaysFilter

S-1-5-8

Proxy

AlwaysFilter

S-1-5-9

Enterprise Domain Controllers

EDC

S-1-5-10

Self

AlwaysFilter

S-1-5-11

Authenticated Users

AlwaysFilter

S-1-5-12

Restricted

AlwaysFilter

S-1-5-13

Terminal Server User

AlwaysFilter

S-1-5-14

Remote Interactive User

AlwaysFilter

S-1-5-15

"This Org"

NeverFilter

S-1-5-18

Local System

AlwaysFilter

S-1-5-19

Local Service

AlwaysFilter

S-1-5-20

Network Service

AlwaysFilter

S-1-5-21

NT Account Domain

AlwaysFilter

S-1-5-21-x

Partially formed SID

AlwaysFilter

S-1-5-21-x-y

Partially formed SID

AlwaysFilter

S-1-5-21-X-Y-Z-R-*

Invalid domain SID (too many RIDs)

AlwaysFilter

S-1-5-21-X-Y-Z

Identifies a domain, not a principal

AlwaysFilter

S-1-5-21-0-0-0-496

Compounded Authentication

NeverFilter<36>

S-1-5-21-0-0-0-497

Claims Valid

NeverFilter<37>

S-1-5-21-<Domain>-R R<500

Well-known SID range

ForestSpecific

S-1-5-21-<Domain>-500

Administrator

ForestSpecific*

S-1-5-21-<Domain>-501

Guest

ForestSpecific*

S-1-5-21-<Domain>-502

Krbtgt

ForestSpecific*

S-1-5-21-<Domain>-512

Domain Admins

ForestSpecific*

S-1-5-21-<Domain>-513

Domain Users

ForestSpecific*

S-1-5-21-<Domain>-514

Domain Guests

ForestSpecific*

S-1-5-21-<Domain>-515

Domain Computers

ForestSpecific*

S-1-5-21-<Domain>-516

Domain Controllers

ForestSpecific*

S-1-5-21-<Domain>-517

Cert Publishers

ForestSpecific*

S-1-5-21-<Domain>-518

Schema Admins

ForestSpecific*

S-1-5-21-<Domain>-519

Enterprise Admins

ForestSpecific*

S-1-5-21-<Domain>-520

Group Policy Creator Owners

ForestSpecific*

S-1-5-21-<Domain>-R

500 <= R < 1000

Except S-1-5-21-<Domain>-518 and S-1-5-21-<Domain>-519 above

Reserved domain-specific values. Never assigned as primary identities to user accounts.

ForestSpecific*

S-1-5-21-<Domain>-R

R >= 1000

Identifiers for end user-created domain identities and domain groups.

Not filtered at domain and external trust boundaries. Can be filtered at member, quarantined, and cross-forest boundaries.

S-1-5-21-X-Y-Z-R where X-Y-Z does not match this <domain>.

All Except on trusted domain object (TDO)

If the trusting domain is configured to filter all except on TDO, then the domain controller filters all SIDs that are not from the trusted domain.

S-1-5-21-X-Y-Z-R where X-Y-Z does not match identities of the domains in a trusted forest that have been selected as trusted.

All Except on Forest Trust Information (FtInfo)

Identities from other forests.

If the trusting domain is configured to filter all except on FtInfo, then the domain controller filters all SIDs that are not from the trusted domains in the trusted forest. The FtInfo is the collection of domain SIDs in the forest. By default, the FtInfo is the list of all domains in the trusted forest, but it can be configured to be a subset of domain SIDs trusted by the domain.

S-1-5-32

Built-in Domain

AlwaysFilter

S-1-5-32-544

Administrators

AlwaysFilter

S-1-5-32-545

Users

AlwaysFilter

S-1-5-32-546

Guests

AlwaysFilter

S-1-5-32-547

Power Users

AlwaysFilter

S-1-5-32-548

Account Operators

AlwaysFilter

S-1-5-32-549

System Operators

AlwaysFilter

S-1-5-32-550

Print Operators

AlwaysFilter

S-1-5-32-551

Backup Operators

AlwaysFilter

S-1-5-32-552

Replicator

AlwaysFilter

S-1-5-32-553

Ras Servers

AlwaysFilter

S-1-5-32-554

Pre-Win 2k Compatible

AlwaysFilter

S-1-5-32-555

Remote Desktop Users

AlwaysFilter

S-1-5-32-556

Network Configuration Operators

AlwaysFilter

S-1-5-32-R

Other Built-in Accounts

AlwaysFilter

S-1-5-64-<RpcId>

Security Providers

RpcId is the RPC Protocol Extensions security provider value specified in [MS-RPCE] section 2.2.1.1.7.

AlwaysFilter

S-1-5-R-*R<1000

Reserved by Microsoft

AlwaysFilter

S-1-5-1000-*

Other Organization

NeverFilter

S-1-5-R-*R>1000

Extensible

NeverFilter

S-1-6

SiteServer Authority

AlwaysFilter

S-1-7

Internet Site Authority

AlwaysFilter

S-1-8

Exchange Authority

AlwaysFilter

S-1-9

Resource Manager Authority

AlwaysFilter

S-1-10

Passport Authority

NeverFilter

Invalid

Invalid SIDs

AlwaysFilter