Conditional Access Template links
Active Roles enhances its authorization model by introducing conditional Access Template links, and takes advantage of conditional links by inserting user claims, device claims, and target object properties, into conditional expressions specified in access rules. An access rule can be applied to an Access Template link, causing the link to have an effect only if the access rule’s condition evaluates to TRUE. During permission check, Active Roles inserts the claims and properties into conditional expressions found in the access rule, evaluates these expressions, and enables or disables the Access Template link based on results of the evaluation. In this way, the access rule determines the results of the permission check.
Access rules, along with conditional Access Template links, enable Active Roles to leverage claims for authorization to securable objects. This authorization mechanism (known as claims-based access control) supplements Access Template based access control to provide an additional layer of authorization that is flexible to the varying needs of the enterprise environment.
Prerequisites for using Access Rules
Before you can use Access Rules, the following conditions must be fulfilled:
- Claim support must be enabled in your Active Directory domain. For details, review the topic Enabling claim support, later in this document.
- For Access Rules to use device claims, Group Policy setting Computer Configuration\ Policies\Administrative Templates\System\Kerberos\Support Compound Authentication with the Always option must be enabled on the client computers, in addition to the Kerberos client support for claims, compound authentication and Kerberos armoring setting (see Client computer).
- The Active Roles Administration Service must be installed on a computer running Windows Server 2016 or a later version of the Windows Server operating system.
- The Active Roles Administration Service that performs authorization using Access Rules must be installed in the Active Directory forest where the user account of the authorizing user is defined and in which the claim types used by the Access Rules are created. Active Roles does not support the use of Access Rules for cross-forest authorization.
- Group Policy setting Computer Configuration\Policies\Administrative Templates\ System\Kerberos\Kerberos client support for claims, compound authentication and Kerberos armoring must be enabled on the computer running the Administration Service.
- The Administration Service must be configured to support Kerberos authentication.
Configuring the Administration Service to support Kerberos authentication
Access Rules require the Active Roles Administration Service to support Kerberos authentication. This is because Windows claims are delivered inside Kerberos tickets. To enable Kerberos authentication, the Service Principal Name (SPN) of the Active Roles Administration Service must be added to the service account (domain user account under which the Administration Service runs). For example, suppose that:
arsrv.domain.com is the FQDN of the computer running the Administration Service
arsrv is the name of the computer running the Administration Service
In this example, the following SPNs must be added to the service account:
You can add the SPNs to the service account by using the Setspn command line tool:
setspn -s aradminsvc/<FQDN> <ServiceAccountName>
setspn -s aradminsvc/arsrv.domain.com domain\arsvcacct
setspn -s aradminsvc/<name> <ServiceAccountName>
setspn -s aradminsvc/arsrv domain\arsvcacct
Managing Windows claims
Claims are statements about an authenticated user or device, issued by an Active Directory domain controller running Windows Server 2016 or later. Claims can contain information about the user or device retrieved from Active Directory.
Dynamic Access Control (DAC), a feature of Windows Server 2012, employs claims-based authorization to create versatile and flexible access controls on sensitive resources by using access rules that evaluate information about the user who accesses those resources and about the device from which the user accesses those resources. By leveraging claims in the user's authentication token, DAC makes it possible to allow or deny access to resources based on the Active Directory attributes of the user or device.
Active Roles uses claims-based access rules to improve authorization management for Active Directory administration. With claims-based access rules, Active Roles adds more flexibility and precision in delegating control of Active Directory objects, such as users, computers or groups, by extending the Active Roles authorization model to recognize and evaluate the claims specific to the user who requests access to those objects or device used to request access.