Identity in Windows is not a new concept. Windows Server operating system introduced identity with the release of Windows NT and subsequent releases based on Windows NT. Windows Server 2012 enhances the concept of identity through claims. The concept of identity must be understood before covering identity enhancements.
What Is Identity
Identity is simple in design and concept. Consider the non-computer related example of Alice preparing for business trip to Germany.
Alice lives in the United States. When Alice arrives at the airport, she will check in at the airline ticket counter. The attendant at the ticket counter asks Alice for her passport. Her passport contains information about her such as her name, address, date of birth, and photograph. Each country ensures the information published in a passport is accurate for that person. This makes the source of the information authoritative. Each country trusts other countries to follow the same procedure.
The passport is Alice's identity. Her identity is represented by personal information published in her passport. Each item of personal information is a "claim" made about Alice by the country issuing the passport. The airline trusts that the issuing country's claims about Alice are true. Therefore, they use the passport to validate Alice's identity.
The Windows operating system provides a similar concept of identity. An administrator creates a user account named Alice in Active Directory. The domain controller publishes information about Alice such as security identifier, and group membership in attributes of Alice's user account. Windows creates an authorization token when Alice accesses a resource.
To connect the analogy-- Alice is the user. The authorization token is the passport. Each unique piece of information in the authorization token is a "claim" made about Alice's user account. Domain controllers issue these claims. Domain-joined computer and domain users trust domain controllers to provide authoritative information.
Both of these examples illustrate the concept of identity. Identity, with respect to authentication and authorization, is simply information published about an entity from a trusted source. The information is considered authoritative because the source is trusted.
Earlier versions of Windows Server used the security identifier (SID) as the primary information to represent identity of a user or computer. Users authenticate to the domain with a specific user name and password. The unique logon name translates into a security identifier. The domain controller validates the password and publishes the SID of the security principal and the SIDs of all the groups of which the principal is a member. The domain controller "claims" the user's SID is valid and should be used as the identity of the user. All domain members trust the domain controller; therefore, the response is treated as authoritative.
Identity is not limited to the user's SID. Applications can use any information about the user as a form of identity-- provided the application trusts the source of the information to be authoritative. For example, many applications implement role-based access control. Role-based access control limits access to resources based on if the user is a member of a specific role. SharePoint Server is good example of software that implements role-based security.
What Is a Claim
A claim is information a trusted source makes about an entity. The SID of a user or computer; the department classification of a file; and the health state of a computer are all valid examples of a claim. An entity can contain more than one claim, and any combination of those claims can be used to authorize access to resources.
Windows Server 2012 extends authorization to files and folders by using claims. Traditionally, Windows servers based authorization on the SID of the user or the SID of the group to which a user belonged. Windows Server 2012 extends authorization identity beyond using the SID for identity and allows administrators to configure authorization based on claims issued in Active Directory. With Windows Server 2012, administrators can protect files and folders based a user's department, cost center, or country.
Types of Claims
Windows Server 2012 introduces three new types of claims: user, device, and transformation claim types. Windows Server 2012 continues to allow you to use group membership for authorization decisions.
User Claim
A user claim is information provided by a Windows Server 2012 domain controller about a user.&nbActive Directory. With Windows Server 2012, administrators can protect files and folders based a user's department, cost center, or country.
Types of Claims
Windows Server 2012 introduces three new types of claims: user, device, and transformation claim types. Windows Server 2012 continues to allow you to use group membership for authorization decisions.
Device Claim
A device claim is information provided by a Windows Server 2012 domain controller about a device represented by a computer account in Active Directory. A device claim type can use most Active Directory attributes that are applicable to computer objects.
Transformation Claim
A transformation claim is a claim issued by a domain controller through a claim transformation policy. Windows Server 2012 domain controllers can transform claims exiting a trusted forest or entering a trusting forest. Transformation claims are not based on an Active Directory attribute as the source of the claim; but rather, the source typically is created from the rules within the transformation policy.
Claim Data Types
Claims, like Active Directory attributes, are strongly typed to hold specific information. This is important because Windows evaluates claims through one or more Boolean expressions. Boolean expressions are expressions that have a left value, an operator (an equal sign or greater than sign), and a right value. For Windows to correctly evaluate the expression, values on either side of the operand must be of the same or compatible data type.
Windows Server 2012 includes the following claim data types
Table 1 Claim Data Types
Claim data type |
Usage description |
Boolean |
An integer-based claim that represents true and false values |
Multi-valued String |
A claim that contains one or more string values |
Multi-valued Unsigned Integer |
A claim that contains one or more positive integer values |
Security Identifier |
A claim that contains one or more security identifiers |
String |
A claim that contains literal alpha-numeric characters |
Unsigned Integer |
A claim that contains a positive numerical value |