User or computer claim issuance setting
You have the option to choose whether claims of the given claim type can be issued for user or computer object class, or both. With the option to issue claims for the user object class, the claim type causes domain controllers to issue user claims based on the attribute of the authenticating user. With the option to issue claims for the computer object class, the claim type causes domain controllers to issue device claims based the attribute of the authenticating user’s computer. You can configure a claim type to issue both user and device claims. When you create a conditional expression for an access rule, and choose the claim type to evaluate, the condition builder allows you to distinguish between user and device claims of the same claim type.
Protection from accidental deletion
By default, claim type objects are protected from accidental deletion. This option prohibits all users, including domain and enterprise administrators, from deleting the claim type object. Protection is achieved by adding an explicit permission entry to the claim type object that denies everyone the right to delete the object. When you create a claim type object, the option to protect the object from accidental deletion is selected by default. As a best practice, it is advisable to leave this option selected.
Suggested values setting
The suggested values setting allows you to configure predefined values from which you can choose when using the claim type in a conditional expression. If you create a claim type without suggested values, you will have to type rather than select values in the condition builder. Another option is to create one or more suggested values for the claim type. These values will appear in a list provided by the condition builder.
You can add, edit or remove suggested values for a given claim type when creating or modifying the respective claim type object. When you add or edit a suggested value, you are prompted to complete the following fields:
- Value This value data will be used when evaluating conditional expressions that include the suggested value you are configuring.
- Display name This is the name of the suggested value that appears in the list when you configure a conditional expression.
Steps for managing Claim Types
Claim types must be created in Active Directory to enable domain controllers to issue claims to users or computers. Claims issued by the domain controller are sourced from attributes of user or computer accounts stored in Active Directory. Claim types specify the attributes from which the claims are sourced, and contain metadata required for using claims.
New claim types are created in the Claim Types container under the Active Directory node located in the Active Roles console tree. If you have domains from multiple forests registered with Active Roles, then the console displays an individual Claim Types container for each forest that has domain controllers running Windows Server 2016 or a later version of the Windows Server operating system. To identify the forest of a given Claim Types container, the container name includes the name (or a part of the name) of the forest root domain.
To create a new claim type
- Right-click the Claim Types container, and select New | Claim Type.
- On the Source Attribute page, select the desired source attribute for claims of this type.
- Review the auto-generated display name and description, and change them if needed.
- Under Claims of this type can be issued for the following classes, select:
- The User check box to enable issuance of this claim type to users
- The Computers check box to enable issuance of this claim type to computers
- Select the Set ID to a semantically identical claim type in a trusted forest check box if the claim type must match an existing claim type in a different forest. Type the claim identifier. Clear this check box to generate the claim identifier automatically.
- Select the Protect from accidental deletion check box to ensure an administrator cannot accidentally delete the claim type. Clear the check box to remove accidental deletion protection.
- Click Next to proceed to the Suggested Values page.
- Click the option you want for suggested values. Create suggested values as needed.
- Click Finish.
To modify an existing claim type
- Right-click the claim type you want to modify and then click Properties.
- On the Source Attribute page, view or change the source attribute, the display name, description, user or computer claim issuance options, and the option to protect the claim type from accidental deletion.
- Click the Suggested Values tab to view or change suggested values.
- Click OK to save the modified claim type.
To delete a claim type
- Right-click the claim type and then click Delete.
- Confirm the claim type deletion.
If you encounter a message stating that you don’t have permission to delete the claim type, then modify the claim type and clear the Protect from accidental deletion check box. If this check box is cleared, verify that you have sufficient rights to delete claim type objects.