Microsoft network server: Attempt S4U2Self to obtain claim information

Microsoft network server: Attempt S4U2Self to obtain claim information

This security setting is to support clients running a version of Windows prior to Windows 8 Consumer Preview that are trying to access a file share that requires user claims. This setting determines whether the local file server will attempt to use Kerberos Service-For-User-To-Self (S4U2Self) functionality to obtain a network client principal's claims from the client's account domain. This setting should only be set to enabled if the file server is using user claims to control access to files, and if the file server will support client principals whose accounts may be in a domain which has client computers and domain controllers running a version of Windows prior to Windows 8 Consumer Preview.

This setting should be set to automatic (default) so that the file server can automatically evaluate whether claims are needed for the user. An administrator would want to set this setting explicitly to 'Enabled' only if there are local file access policies that include user claims.

When enabled this security setting will cause the Windows file server to examine the access token of an authenticated network client principal and determine if claim information is present. If claims are not present the file server will then use the Kerberos S4U2Self feature to attempt to contact a Windows Server 8 Beta domain controller in the client's account domain, and obtain a claims-enabled access token for the client principal. A claims-enabled token may be needed to access files or folders which have claim-based access control policy applied.

If this setting is disabled, the Windows file server will not attempt to obtain a claim-enabled access token for the client principal.

Default: Automatic.

Policy path: 

Computer Configuration\Windows Settings\Local Policies\Security Options

Supported on: 

Windows 8, Windows Server 2012

Registry settings: 

Not a registry key

Reboot required: 

No