ACS Policy Operation

• Host RSVP service provider inserts RSVP policy objects in RSVP messages

  • Contains User Identity represented as an encrypted DN {dc=com, dc=microsoft, ou=redmond, n=bob}Ksession
  • Security token to prove identity (kerberos ticket for ACS service)
    • Ticket encrypted in private key of ACS service
    • Session Key (Ksession) is in Ticket
  • Digital signature over RSVP message to avoid policy object reuse (cut and paste)

• ACS servers in network authorize requests

  • Crack ticket to get identity of requestor
  • Check User’s Policy in the Directory

Previous slide

Next slide

Back to first slide

View graphic version