Partager via


2.2.64 FW_AUTH_SET2_10

This structure contains a list of FW_AUTH_SUITE2_10 elements that are ordered from highest to lowest preference and are negotiated with remote peers to establish authentication algorithms.

 typedef struct _tag_FW_AUTH_SET2_10 {
   struct _tag_FW_AUTH_SET2_10* pNext;
   unsigned short wSchemaVersion;
   [range(FW_IPSEC_PHASE_INVALID+1, FW_IPSEC_PHASE_MAX-1)] 
     FW_IPSEC_PHASE IpSecPhase;
   [string, range(1,255), ref] wchar_t* wszSetId;
   [string, range(1,10001)] wchar_t* wszName;
   [string, range(1,10001)] wchar_t* wszDescription;
   [string, range(1,10001)] wchar_t* wszEmbeddedContext;
   [range(0,1000)] unsigned long dwNumSuites;
   [size_is(dwNumSuites)] PFW_AUTH_SUITE pSuites;
   [range(FW_RULE_ORIGIN_INVALID,FW_RULE_ORIGIN_MAX-1)] 
     FW_RULE_ORIGIN_TYPE Origin;
   [string, range(1,10001)] wchar_t* wszGPOName;
   FW_RULE_STATUS Status;
   unsigned long dwAuthSetFlags;
 } FW_AUTH_SET2_10,
  *PFW_AUTH_SET2_10;

pNext: A pointer to the next FW_AUTH_SET2_10 in the list.

wSchemaVersion: Specifies the version of the set.

IpSecPhase: This field is of type FW_IPSEC_PHASE, and it specifies if this authentication set applies for first or second authentications.

wszSetId: A pointer to a Unicode string that uniquely identifies the set. The default set for this policy object is identified with the "{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE3}" string for Phase1 and the "{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE4}" string for Phase2. Default sets are merged across policy stores, and only one is enforced according to predefined merge logic rules.

wszName: A pointer to a Unicode string that provides a friendly name for the set.

wszDescription: A pointer to a Unicode string that provides a friendly description for the set.

wszEmbeddedContext: A pointer to a Unicode string that provides a way for applications to store relevant application-specific context that is related to the set.

dwNumSuites: Specifies the number of authentication suites that the structure contains.

pSuites: A pointer to an array of FW_AUTH_SUITE elements. The number of elements is given by dwNumSuites.

Origin: This field is the set origin, as specified in the FW_RULE_ORIGIN_TYPE enumeration. It MUST be filled on enumerated rules and ignored on input.

wszGPOName: A Unicode string that represents the name of the originating GPO. It MUST be set if the origin is Group Policy; otherwise, it MUST be NULL.

Status: A status code of the set, as specified by the FW_RULE_STATUS enumeration. This field is filled out when the structure is returned as output. On input, this field MUST be set to FW_RULE_STATUS_OK.

dwAuthSetFlags: A reserved value and not currently used. It MUST be set to 0.

The following are semantic checks that authentication sets MUST pass:

  • The wSchemaVersion field MUST NOT be less than 0x000200.

  • The wszSetId field MUST NOT contain the pipe (|) character, MUST NOT be NULL, MUST be a string of at least 1 character long, and MUST NOT be greater than or equal to 255 characters.

  • If the wszName field string is not NULL, it MUST be at least 1 character long, MUST NOT be greater than or equal to 10,000 characters, and MUST NOT contain the pipe (|) character.

  • If the wszDescription field string is not NULL, it MUST be at least 1 character long, MUST NOT be greater than or equal to 10,000 characters, and MUST NOT contain the pipe (|) character.

  • If the wszEmbeddedContext field string is not NULL, it MUST be at least 1 character long, MUST NOT be greater than or equal to 10,000 characters, and MUST NOT contain the pipe (|) character.

  • The IpSecPhase field MUST have valid FW_IPSEC_PHASE values.

  • If IpSecPhase is FW_IPSEC_PHASE_1:

    • The wszSetId field MUST NOT have the default phase 1 authentication set ID as a prefix.

    • The authentication set MUST have at least one authentication suite.

    • The dwNumSuites field MUST agree with the pSuites field.

    • The authentication suites methods MUST only be FW_AUTH_METHOD_ANONYMOUS, FW_AUTH_METHOD_MACHINE_KERB, FW_AUTH_METHOD_MACHINE_NTLM, FW_AUTH_METHOD_MACHINE_CERT, or FW_AUTH_METHOD_MACHINE_SHKEY.

    • Authentication suites that have a method other than machine certificate MUST have the wFlags field of the same suite set to 0.

    • If the set schema policy version is 0x200, the wFlags field MUST NOT contain the FW_AUTH_SUITE_FLAGS_CERT_SIGNING_ECDSA256 or the FW_AUTH_SUITE_FLAGS_CERT_SIGNING_ECDSA384 flags.

    • The wFlags field MUST NOT contain both the FW_AUTH_SUITE_FLAGS_CERT_SIGNING_ECDSA256 and the FW_AUTH_SUITE_FLAGS_CERT_SIGNING_ECDSA384 flags.

    • All suites that have the FW_AUTH_METHOD_MACHINE_CERT method and a wFlags field with the FW_AUTH_SUITE_FLAGS_CERT_SIGNING_ECDSA256 flag set, MUST be contiguous. The same applies for those suites that have the FW_AUTH_SUITE_FLAGS_CERT_SIGNING_ECDSA384 flag set, and those suites that have neither flag set (they default to RSA signing).

    • All such contiguous suites that have a specific signing flag (either none, ECDSA256, or ECDSA384) MUST have the same value for the FW_AUTH_SUITE_FLAGS_HEALTH_CERT flag. It MUST be set either in all or in none.

    • The set MUST NOT have more than one suite that has the anonymous method (FW_AUTH_METHOD_ANONYMOUS), or that has the machine kerb method (FW_AUTH_METHOD_MACHINE_KERB), or that has the machine ntlm method (FW_AUTH_METHOD_MACHINE_NTLM), or that has the machine shkey method (FW_AUTH_METHOD_MACHINE_SHKEY), as defined in section 2.2.60.<17>

    • The set MUST NOT have a suite that has an NTLM Authentication Protocol method (as specified in [MS-NLMP]) and a suite SHKey method.

    • If the set has a machine certificate suite that has a wFlags field that contains the flag FW_AUTH_SUITE_FLAGS_HEALTH_CERT, all machine certificate method suites in the set MUST also have this flag.

    • If the set schema policy version is less than 0x214, the set MUST NOT have suites that contain the FW_AUTH_METHOD_MACHINE_NEGOEX authentication method.

  • If the IpSecPhase is FW_IPSEC_PHASE_2:

    • The wszSetId MUST NOT have the default phase 2 authentication set ID as a prefix.

    • The dwNumSuites field MUST agree with the pSuites field.

    • The authentication suites methods MUST only be FW_AUTH_METHOD_ANONYMOUS, FW_AUTH_METHOD_USER_KERB, FW_AUTH_METHOD_USER_NTLM, FW_AUTH_METHOD_USER_CERT, or FW_AUTH_METHOD_MACHINE_CERT.

    • The set MUST NOT have a suite that has the anonymous method as the only suite.

    • Suites in the set MUST NOT contain FW_AUTH_SUITE_FLAGS_CERT_EXCLUDE_CA_NAME.

    • Suites that have user certificate methods MUST NOT contain the FW_AUTH_SUITE_FLAGS_HEALTH_CERT flag; however, suites that have machine certificate methods MUST contain it.

    • Authentication suites that have a method other than machine certificate or user certificate MUST have the wFlags field of the same suite set to 0.

    • If the set schema policy version is 0x200, the wFlags field MUST NOT contain the FW_AUTH_SUITE_FLAGS_CERT_SIGNING_ECDSA256 or the FW_AUTH_SUITE_FLAGS_CERT_SIGNING_ECDSA384 flags.

    • The wFlags field MUST NOT contain both the FW_AUTH_SUITE_FLAGS_CERT_SIGNING_ECDSA256 and the FW_AUTH_SUITE_FLAGS_CERT_SIGNING_ECDSA384 flags.

    • All suites that have a FW_AUTH_METHOD_MACHINE_CERT method and a wFlags field with the FW_AUTH_SUITE_FLAGS_CERT_SIGNING_ECDSA256 flag set, MUST be contiguous. The same applies to those suites that have the FW_AUTH_SUITE_FLAGS_CERT_SIGNING_ECDSA384 flag set and those suites that have neither flag set (they default to RSA signing).

    • The set MUST NOT have more than one suite that has the anonymous method (FW_AUTH_METHOD_ANONYMOUS), or that has the user kerb method (FW_AUTH_METHOD_USER_KERB), or that has the user ntlm method (FW_AUTH_METHOD_USER_NTLM), as defined in section 2.2.60.<18>

    • A set that contains a suite that has the machine certificate method MUST NOT contain suites that have the user certificate method.

    • A set that contains a suite that has the machine certificate method MUST only contain more suites that have machine certificate or anonymous methods.

    • If the set schema policy version is less than 0x214, the set MUST NOT have suites that contain the FW_AUTH_METHOD_USER_NEGOEX authentication method.