
close
close
In the first part of this series on Dynamic Access Control (DAC) in Windows Server 2012, I explained why DAC is a much-needed enhancement to the existing ACL model of controlling access to file server resources. I also discussed some of the terminology and components that you will need to understand before configuring DAC. Moving on, today in part two I’ll go over DAC and how to configure Kerberos, define claim types, and define properties in the resource Active Directory Administrative Center (ADAC).
Before using DAC in your environment you need to enable Kerberos armoring, sometimes referred to as Flexible Authentication Secure Tunneling (FAST), and compound authentication on domain controllers and clients. There are two settings that need to be enabled: claims support for the Active Directory (AD) Key Distribution Center (KDC), and claims support for Kerberos clients. The easiest way to do this is by applying the necessary configuration settings using Group Policy.
advertisment
Open the Group Policy Management Console (GPMC) on Windows 8 or Server 2012 using a domain account that has permission to create new Group Policy Objects (GPOs):
The default option in the drop-down menu is Supported, where DCs advertise to clients that the domain is claims and compound authentication capable and that Kerberos armoring is supported. In Supported mode, claims and compound authentication are provided by Windows Server 2012 DCs on request. Always provide claims and Fail unarmored authentication requests require that you raise the domain functional level to Windows Server 2012, and as such you would need to make sure all DCs in the domain are Windows Server 2012.
Now that we have a Group Policy Object prepared to enable claims support, I recommend that you link the GPO to your domain, unless you need to exclude some devices from claims support.
advertisment
Now that the domain is ready for claims support, we need to define some claim types in Windows Server 2012. For the purposes of this demonstration, let’s define two claim types based on the Active Directory Country and Department attributes.
You’ll notice that the default value type is Single-valued Choice. You can define multiple suggested values for this value type, and administrators can then select one of the pre-defined suggested values from the list when configuring conditional expressions.
advertisment
Repeat the steps above, but search for the department attribute in the Filter box and make sure that the department string is highlighted in the results. Add Finance and HR as suggested values. Back in ADAC, you should now see your two new claim types in the central pane.
Dynamic Access Control extends FCI functionality by allowing administrators to centrally define resource properties, which can be downloaded to file servers and used to tag files for classification purposes. Microsoft includes some resource properties out-of-the-box and a default resource properties list. In the instructions below, we’ll enable the existing department resource property and create a new resource property for country.
Now we’ll make sure both properties belong to the main resource property list.
In part three of this series, I’ll show you how to create central access rules, deploy central access policies, and how to configure a Windows Server 2012 file server with Dynamic Access Control.
More from Russell Smith
advertisment
Petri Newsletters
Whether it’s Security or Cloud Computing, we have the know-how for you. Sign up for our newsletters here.
advertisment
More in Windows Server 2012
Most popular on petri
Log in to save content to your profile.
Article saved!
Access saved content from your profile page. View Saved
Join The Conversation
Create a free account today to participate in forum conversations, comment on posts and more.
Copyright ©2019 BWW Media Group