deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merged PR 10796: Kerberos/UPNNameHints - new in Policy CSP

Browse Source
This commit is contained in:
Maricia Alforque 2018-08-20 23:21:58 +00:00
parent 064950fdc2
commit 182d0dbfd9
2 changed files with 429 additions and 366 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
windows/client-management/mdm/policy-configuration-service-provider.md
View File

@ -2060,6 +2060,9 @@ The following diagram shows the Policy configuration service provider in tree fo
<dd> <dd>
<a href="./policy-csp-kerberos.md#kerberos-setmaximumcontexttokensize" id="kerberos-setmaximumcontexttokensize">Kerberos/SetMaximumContextTokenSize</a> <a href="./policy-csp-kerberos.md#kerberos-setmaximumcontexttokensize" id="kerberos-setmaximumcontexttokensize">Kerberos/SetMaximumContextTokenSize</a>
</dd> </dd>
<dd>
<a href="./policy-csp-kerberos.md#kerberos-upnnamehints" id="kerberos-upnnamehints">Kerberos/UPNNameHints</a>
</dd>
</dl> </dl>
### KioskBrowser policies ### KioskBrowser policies

792
windows/client-management/mdm/policy-csp-kerberos.md
View File

@ -1,366 +1,426 @@
--- ---
title: Policy CSP - Kerberos title: Policy CSP - Kerberos
description: Policy CSP - Kerberos description: Policy CSP - Kerberos
ms.author: maricia ms.author: maricia
ms.topic: article ms.topic: article
ms.prod: w10 ms.prod: w10
ms.technology: windows ms.technology: windows
author: MariciaAlforque author: MariciaAlforque
ms.date: 03/12/2018 ms.date: 08/08/2018
--- ---
# Policy CSP - Kerberos # Policy CSP - Kerberos
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<hr/>
<!--Policies--> <hr/>
## Kerberos policies
<!--Policies-->
<dl> ## Kerberos policies
<dd>
<a href="#kerberos-allowforestsearchorder">Kerberos/AllowForestSearchOrder</a> <dl>
</dd> <dd>
<dd> <a href="#kerberos-allowforestsearchorder">Kerberos/AllowForestSearchOrder</a>
<a href="#kerberos-kerberosclientsupportsclaimscompoundarmor">Kerberos/KerberosClientSupportsClaimsCompoundArmor</a> </dd>
</dd> <dd>
<dd> <a href="#kerberos-kerberosclientsupportsclaimscompoundarmor">Kerberos/KerberosClientSupportsClaimsCompoundArmor</a>
<a href="#kerberos-requirekerberosarmoring">Kerberos/RequireKerberosArmoring</a> </dd>
</dd> <dd>
<dd> <a href="#kerberos-requirekerberosarmoring">Kerberos/RequireKerberosArmoring</a>
<a href="#kerberos-requirestrictkdcvalidation">Kerberos/RequireStrictKDCValidation</a> </dd>
</dd> <dd>
<dd> <a href="#kerberos-requirestrictkdcvalidation">Kerberos/RequireStrictKDCValidation</a>
<a href="#kerberos-setmaximumcontexttokensize">Kerberos/SetMaximumContextTokenSize</a> </dd>
</dd> <dd>
</dl> <a href="#kerberos-setmaximumcontexttokensize">Kerberos/SetMaximumContextTokenSize</a>
</dd>
<dd>
<hr/> <a href="#kerberos-upnnamehints">Kerberos/UPNNameHints</a>
</dd>
<!--Policy--> </dl>
<a href="" id="kerberos-allowforestsearchorder"></a>**Kerberos/AllowForestSearchOrder**
<!--SupportedSKUs--> <hr/>
<table>
<tr> <!--Policy-->
<th>Home</th> <a href="" id="kerberos-allowforestsearchorder"></a>**Kerberos/AllowForestSearchOrder**
<th>Pro</th>
<th>Business</th> <!--SupportedSKUs-->
<th>Enterprise</th> <table>
<th>Education</th> <tr>
<th>Mobile</th> <th>Home</th>
<th>Mobile Enterprise</th> <th>Pro</th>
</tr> <th>Business</th>
<tr> <th>Enterprise</th>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <th>Education</th>
<td><img src="images/checkmark.png" alt="check mark" /></td> <th>Mobile</th>
<td><img src="images/checkmark.png" alt="check mark" /></td> <th>Mobile Enterprise</th>
<td><img src="images/checkmark.png" alt="check mark" /></td> </tr>
<td><img src="images/checkmark.png" alt="check mark" /></td> <tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td><img src="images/checkmark.png" alt="check mark" /></td>
</tr> <td><img src="images/checkmark.png" alt="check mark" /></td>
</table> <td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<!--/SupportedSKUs--> <td><img src="images/crossmark.png" alt="cross mark" /></td>
<!--Scope--> <td><img src="images/crossmark.png" alt="cross mark" /></td>
[Scope](./policy-configuration-service-provider.md#policy-scope): </tr>
</table>
> [!div class = "checklist"]
> * Device <!--/SupportedSKUs-->
<!--Scope-->
<hr/> [Scope](./policy-configuration-service-provider.md#policy-scope):
<!--/Scope--> > [!div class = "checklist"]
<!--Description--> > * Device
This policy setting defines the list of trusting forests that the Kerberos client searches when attempting to resolve two-part service principal names (SPNs).
<hr/>
If you enable this policy setting, the Kerberos client searches the forests in this list, if it is unable to resolve a two-part SPN. If a match is found, the Kerberos client requests a referral ticket to the appropriate domain.
<!--/Scope-->
If you disable or do not configure this policy setting, the Kerberos client does not search the listed forests to resolve the SPN. If the Kerberos client is unable to resolve the SPN because the name is not found, NTLM authentication might be used. <!--Description-->
This policy setting defines the list of trusting forests that the Kerberos client searches when attempting to resolve two-part service principal names (SPNs).
<!--/Description-->
> [!TIP] If you enable this policy setting, the Kerberos client searches the forests in this list, if it is unable to resolve a two-part SPN. If a match is found, the Kerberos client requests a referral ticket to the appropriate domain.
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
If you disable or do not configure this policy setting, the Kerberos client does not search the listed forests to resolve the SPN. If the Kerberos client is unable to resolve the SPN because the name is not found, NTLM authentication might be used.
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
<!--/Description-->
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). > [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
<!--ADMXBacked-->
ADMX Info: > You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
- GP English name: *Use forest search order*
- GP name: *ForestSearch* > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
- GP path: *System/Kerberos*
- GP ADMX file name: *Kerberos.admx* <!--ADMXBacked-->
ADMX Info:
<!--/ADMXBacked--> - GP English name: *Use forest search order*
<!--/Policy--> - GP name: *ForestSearch*
- GP path: *System/Kerberos*
<hr/> - GP ADMX file name: *Kerberos.admx*
<!--Policy--> <!--/ADMXBacked-->
<a href="" id="kerberos-kerberosclientsupportsclaimscompoundarmor"></a>**Kerberos/KerberosClientSupportsClaimsCompoundArmor** <!--/Policy-->
<!--SupportedSKUs--> <hr/>
<table>
<tr> <!--Policy-->
<th>Home</th> <a href="" id="kerberos-kerberosclientsupportsclaimscompoundarmor"></a>**Kerberos/KerberosClientSupportsClaimsCompoundArmor**
<th>Pro</th>
<th>Business</th> <!--SupportedSKUs-->
<th>Enterprise</th> <table>
<th>Education</th> <tr>
<th>Mobile</th> <th>Home</th>
<th>Mobile Enterprise</th> <th>Pro</th>
</tr> <th>Business</th>
<tr> <th>Enterprise</th>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <th>Education</th>
<td><img src="images/checkmark.png" alt="check mark" /></td> <th>Mobile</th>
<td><img src="images/checkmark.png" alt="check mark" /></td> <th>Mobile Enterprise</th>
<td><img src="images/checkmark.png" alt="check mark" /></td> </tr>
<td><img src="images/checkmark.png" alt="check mark" /></td> <tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td><img src="images/checkmark.png" alt="check mark" /></td>
</tr> <td><img src="images/checkmark.png" alt="check mark" /></td>
</table> <td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<!--/SupportedSKUs--> <td><img src="images/crossmark.png" alt="cross mark" /></td>
<!--Scope--> <td><img src="images/crossmark.png" alt="cross mark" /></td>
[Scope](./policy-configuration-service-provider.md#policy-scope): </tr>
</table>
> [!div class = "checklist"]
> * Device <!--/SupportedSKUs-->
<!--Scope-->
<hr/> [Scope](./policy-configuration-service-provider.md#policy-scope):
<!--/Scope--> > [!div class = "checklist"]
<!--Description--> > * Device
This policy setting controls whether a device will request claims and compound authentication for Dynamic Access Control and Kerberos armoring using Kerberos authentication with domains that support these features.
If you enable this policy setting, the client computers will request claims, provide information required to create compounded authentication and armor Kerberos messages in domains which support claims and compound authentication for Dynamic Access Control and Kerberos armoring. <hr/>
If you disable or do not configure this policy setting, the client devices will not request claims, provide information required to create compounded authentication and armor Kerberos messages. Services hosted on the device will not be able to retrieve claims for clients using Kerberos protocol transition. <!--/Scope-->
<!--Description-->
<!--/Description--> This policy setting controls whether a device will request claims and compound authentication for Dynamic Access Control and Kerberos armoring using Kerberos authentication with domains that support these features.
> [!TIP] If you enable this policy setting, the client computers will request claims, provide information required to create compounded authentication and armor Kerberos messages in domains which support claims and compound authentication for Dynamic Access Control and Kerberos armoring.
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
If you disable or do not configure this policy setting, the client devices will not request claims, provide information required to create compounded authentication and armor Kerberos messages. Services hosted on the device will not be able to retrieve claims for clients using Kerberos protocol transition.
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
<!--/Description-->
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). > [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
<!--ADMXBacked-->
ADMX Info: > You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
- GP English name: *Kerberos client support for claims, compound authentication and Kerberos armoring*
- GP name: *EnableCbacAndArmor* > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
- GP path: *System/Kerberos*
- GP ADMX file name: *Kerberos.admx* <!--ADMXBacked-->
ADMX Info:
<!--/ADMXBacked--> - GP English name: *Kerberos client support for claims, compound authentication and Kerberos armoring*
<!--/Policy--> - GP name: *EnableCbacAndArmor*
- GP path: *System/Kerberos*
<hr/> - GP ADMX file name: *Kerberos.admx*
<!--Policy--> <!--/ADMXBacked-->
<a href="" id="kerberos-requirekerberosarmoring"></a>**Kerberos/RequireKerberosArmoring** <!--/Policy-->
<!--SupportedSKUs--> <hr/>
<table>
<tr> <!--Policy-->
<th>Home</th> <a href="" id="kerberos-requirekerberosarmoring"></a>**Kerberos/RequireKerberosArmoring**
<th>Pro</th>
<th>Business</th> <!--SupportedSKUs-->
<th>Enterprise</th> <table>
<th>Education</th> <tr>
<th>Mobile</th> <th>Home</th>
<th>Mobile Enterprise</th> <th>Pro</th>
</tr> <th>Business</th>
<tr> <th>Enterprise</th>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <th>Education</th>
<td><img src="images/checkmark.png" alt="check mark" /></td> <th>Mobile</th>
<td><img src="images/checkmark.png" alt="check mark" /></td> <th>Mobile Enterprise</th>
<td><img src="images/checkmark.png" alt="check mark" /></td> </tr>
<td><img src="images/checkmark.png" alt="check mark" /></td> <tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td><img src="images/checkmark.png" alt="check mark" /></td>
</tr> <td><img src="images/checkmark.png" alt="check mark" /></td>
</table> <td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<!--/SupportedSKUs--> <td><img src="images/crossmark.png" alt="cross mark" /></td>
<!--Scope--> <td><img src="images/crossmark.png" alt="cross mark" /></td>
[Scope](./policy-configuration-service-provider.md#policy-scope): </tr>
</table>
> [!div class = "checklist"]
> * Device <!--/SupportedSKUs-->
<!--Scope-->
<hr/> [Scope](./policy-configuration-service-provider.md#policy-scope):
<!--/Scope--> > [!div class = "checklist"]
<!--Description--> > * Device
This policy setting controls whether a computer requires that Kerberos message exchanges be armored when communicating with a domain controller.
<hr/>
Warning: When a domain does not support Kerberos armoring by enabling "Support Dynamic Access Control and Kerberos armoring", then all authentication for all its users will fail from computers with this policy setting enabled.
<!--/Scope-->
If you enable this policy setting, the client computers in the domain enforce the use of Kerberos armoring in only authentication service (AS) and ticket-granting service (TGS) message exchanges with the domain controllers. <!--Description-->
This policy setting controls whether a computer requires that Kerberos message exchanges be armored when communicating with a domain controller.
Note: The Kerberos Group Policy "Kerberos client support for claims, compound authentication and Kerberos armoring" must also be enabled to support Kerberos armoring.
Warning: When a domain does not support Kerberos armoring by enabling "Support Dynamic Access Control and Kerberos armoring", then all authentication for all its users will fail from computers with this policy setting enabled.
If you disable or do not configure this policy setting, the client computers in the domain enforce the use of Kerberos armoring when possible as supported by the target domain.
If you enable this policy setting, the client computers in the domain enforce the use of Kerberos armoring in only authentication service (AS) and ticket-granting service (TGS) message exchanges with the domain controllers.
<!--/Description-->
> [!TIP] Note: The Kerberos Group Policy "Kerberos client support for claims, compound authentication and Kerberos armoring" must also be enabled to support Kerberos armoring.
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
If you disable or do not configure this policy setting, the client computers in the domain enforce the use of Kerberos armoring when possible as supported by the target domain.
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
<!--/Description-->
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). > [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
<!--ADMXBacked-->
ADMX Info: > You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
- GP English name: *Fail authentication requests when Kerberos armoring is not available*
- GP name: *ClientRequireFast* > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
- GP path: *System/Kerberos*
- GP ADMX file name: *Kerberos.admx* <!--ADMXBacked-->
ADMX Info:
<!--/ADMXBacked--> - GP English name: *Fail authentication requests when Kerberos armoring is not available*
<!--/Policy--> - GP name: *ClientRequireFast*
- GP path: *System/Kerberos*
<hr/> - GP ADMX file name: *Kerberos.admx*
<!--Policy--> <!--/ADMXBacked-->
<a href="" id="kerberos-requirestrictkdcvalidation"></a>**Kerberos/RequireStrictKDCValidation** <!--/Policy-->
<!--SupportedSKUs--> <hr/>
<table>
<tr> <!--Policy-->
<th>Home</th> <a href="" id="kerberos-requirestrictkdcvalidation"></a>**Kerberos/RequireStrictKDCValidation**
<th>Pro</th>
<th>Business</th> <!--SupportedSKUs-->
<th>Enterprise</th> <table>
<th>Education</th> <tr>
<th>Mobile</th> <th>Home</th>
<th>Mobile Enterprise</th> <th>Pro</th>
</tr> <th>Business</th>
<tr> <th>Enterprise</th>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <th>Education</th>
<td><img src="images/checkmark.png" alt="check mark" /></td> <th>Mobile</th>
<td><img src="images/checkmark.png" alt="check mark" /></td> <th>Mobile Enterprise</th>
<td><img src="images/checkmark.png" alt="check mark" /></td> </tr>
<td><img src="images/checkmark.png" alt="check mark" /></td> <tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td><img src="images/checkmark.png" alt="check mark" /></td>
</tr> <td><img src="images/checkmark.png" alt="check mark" /></td>
</table> <td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<!--/SupportedSKUs--> <td><img src="images/crossmark.png" alt="cross mark" /></td>
<!--Scope--> <td><img src="images/crossmark.png" alt="cross mark" /></td>
[Scope](./policy-configuration-service-provider.md#policy-scope): </tr>
</table>
> [!div class = "checklist"]
> * Device <!--/SupportedSKUs-->
<!--Scope-->
<hr/> [Scope](./policy-configuration-service-provider.md#policy-scope):
<!--/Scope--> > [!div class = "checklist"]
<!--Description--> > * Device
This policy setting controls the Kerberos client's behavior in validating the KDC certificate for smart card and system certificate logon.
<hr/>
If you enable this policy setting, the Kerberos client requires that the KDC's X.509 certificate contains the KDC key purpose object identifier in the Extended Key Usage (EKU) extensions, and that the KDC's X.509 certificate contains a dNSName subjectAltName (SAN) extension that matches the DNS name of the domain. If the computer is joined to a domain, the Kerberos client requires that the KDC's X.509 certificate must be signed by a Certificate Authority (CA) in the NTAuth store. If the computer is not joined to a domain, the Kerberos client allows the root CA certificate on the smart card to be used in the path validation of the KDC's X.509 certificate.
<!--/Scope-->
If you disable or do not configure this policy setting, the Kerberos client requires only that the KDC certificate contain the Server Authentication purpose object identifier in the EKU extensions which can be issued to any server. <!--Description-->
This policy setting controls the Kerberos client's behavior in validating the KDC certificate for smart card and system certificate logon.
<!--/Description-->
> [!TIP] If you enable this policy setting, the Kerberos client requires that the KDC's X.509 certificate contains the KDC key purpose object identifier in the Extended Key Usage (EKU) extensions, and that the KDC's X.509 certificate contains a dNSName subjectAltName (SAN) extension that matches the DNS name of the domain. If the computer is joined to a domain, the Kerberos client requires that the KDC's X.509 certificate must be signed by a Certificate Authority (CA) in the NTAuth store. If the computer is not joined to a domain, the Kerberos client allows the root CA certificate on the smart card to be used in the path validation of the KDC's X.509 certificate.
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
If you disable or do not configure this policy setting, the Kerberos client requires only that the KDC certificate contain the Server Authentication purpose object identifier in the EKU extensions which can be issued to any server.
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
<!--/Description-->
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). > [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
<!--ADMXBacked-->
ADMX Info: > You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
- GP English name: *Require strict KDC validation*
- GP name: *ValidateKDC* > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
- GP path: *System/Kerberos*
- GP ADMX file name: *Kerberos.admx* <!--ADMXBacked-->
ADMX Info:
<!--/ADMXBacked--> - GP English name: *Require strict KDC validation*
<!--/Policy--> - GP name: *ValidateKDC*
- GP path: *System/Kerberos*
<hr/> - GP ADMX file name: *Kerberos.admx*
<!--Policy--> <!--/ADMXBacked-->
<a href="" id="kerberos-setmaximumcontexttokensize"></a>**Kerberos/SetMaximumContextTokenSize** <!--/Policy-->
<!--SupportedSKUs--> <hr/>
<table>
<tr> <!--Policy-->
<th>Home</th> <a href="" id="kerberos-setmaximumcontexttokensize"></a>**Kerberos/SetMaximumContextTokenSize**
<th>Pro</th>
<th>Business</th> <!--SupportedSKUs-->
<th>Enterprise</th> <table>
<th>Education</th> <tr>
<th>Mobile</th> <th>Home</th>
<th>Mobile Enterprise</th> <th>Pro</th>
</tr> <th>Business</th>
<tr> <th>Enterprise</th>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <th>Education</th>
<td><img src="images/checkmark.png" alt="check mark" /></td> <th>Mobile</th>
<td><img src="images/checkmark.png" alt="check mark" /></td> <th>Mobile Enterprise</th>
<td><img src="images/checkmark.png" alt="check mark" /></td> </tr>
<td><img src="images/checkmark.png" alt="check mark" /></td> <tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td> <td><img src="images/checkmark.png" alt="check mark" /></td>
</tr> <td><img src="images/checkmark.png" alt="check mark" /></td>
</table> <td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<!--/SupportedSKUs--> <td><img src="images/crossmark.png" alt="cross mark" /></td>
<!--Scope--> <td><img src="images/crossmark.png" alt="cross mark" /></td>
[Scope](./policy-configuration-service-provider.md#policy-scope): </tr>
</table>
> [!div class = "checklist"]
> * Device <!--/SupportedSKUs-->
<!--Scope-->
<hr/> [Scope](./policy-configuration-service-provider.md#policy-scope):
<!--/Scope--> > [!div class = "checklist"]
<!--Description--> > * Device
This policy setting allows you to set the value returned to applications which request the maximum size of the SSPI context token buffer size.
<hr/>
The size of the context token buffer determines the maximum size of SSPI context tokens an application expects and allocates. Depending upon authentication request processing and group memberships, the buffer might be smaller than the actual size of the SSPI context token.
<!--/Scope-->
If you enable this policy setting, the Kerberos client or server uses the configured value, or the locally allowed maximum value, whichever is smaller. <!--Description-->
This policy setting allows you to set the value returned to applications which request the maximum size of the SSPI context token buffer size.
If you disable or do not configure this policy setting, the Kerberos client or server uses the locally configured value or the default value.
The size of the context token buffer determines the maximum size of SSPI context tokens an application expects and allocates. Depending upon authentication request processing and group memberships, the buffer might be smaller than the actual size of the SSPI context token.
Note: This policy setting configures the existing MaxTokenSize registry value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters, which was added in Windows XP and Windows Server 2003, with a default value of 12,000 bytes. Beginning with Windows 8 the default is 48,000 bytes. Due to HTTP's base64 encoding of authentication context tokens, it is not advised to set this value more than 48,000 bytes.
If you enable this policy setting, the Kerberos client or server uses the configured value, or the locally allowed maximum value, whichever is smaller.
<!--/Description-->
> [!TIP] If you disable or do not configure this policy setting, the Kerberos client or server uses the locally configured value or the default value.
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
Note: This policy setting configures the existing MaxTokenSize registry value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters, which was added in Windows XP and Windows Server 2003, with a default value of 12,000 bytes. Beginning with Windows 8 the default is 48,000 bytes. Due to HTTP's base64 encoding of authentication context tokens, it is not advised to set this value more than 48,000 bytes.
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
<!--/Description-->
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). > [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
<!--ADMXBacked-->
ADMX Info: > You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
- GP English name: *Set maximum Kerberos SSPI context token buffer size*
- GP name: *MaxTokenSize* > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
- GP path: *System/Kerberos*
- GP ADMX file name: *Kerberos.admx* <!--ADMXBacked-->
ADMX Info:
<!--/ADMXBacked--> - GP English name: *Set maximum Kerberos SSPI context token buffer size*
<!--/Policy--> - GP name: *MaxTokenSize*
<hr/> - GP path: *System/Kerberos*
- GP ADMX file name: *Kerberos.admx*
Footnote:
<!--/ADMXBacked-->
- 1 - Added in Windows 10, version 1607. <!--/Policy-->
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709. <hr/>
- 4 - Added in Windows 10, version 1803.
<!--Policy-->
<!--/Policies--> <a href="" id="kerberos-upnnamehints"></a>**Kerberos/UPNNameHints**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td></td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Adds a list of domains that an Azure Active Directory joined device can attempt to contact when it cannot resolve a UPN to a principal.
Devices joined to Azure Active Directory in a hybrid environment need to interact with Active Directory Domain Controllers, but they lack the built-in ability to find a Domain Controller that a domain-joined device has. This can cause failures when such a device needs to resolve an Azure Active Directory UPN into an Active Directory Principal. You can use this policy to avoid those failures.
<!--/Description-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
- 5 - Added in the next major release of Windows 10.
<!--/Policies-->