Microsoft network server: Attempt S4U2Self to obtain claim information

Applies to

  • Windows 11
  • Windows 10

Describes the best practices, location, values, management, and security considerations for the Microsoft network server: Attempt S4U2Self to obtain claim information security policy setting.

Reference

This security setting supports client devices running a version of Windows prior to Windows 8 that are trying to access a file share that requires user claims. This setting determines whether the local file server will attempt to use Kerberos Service-for-User-to-Self (S4U2Self) functionality to obtain a network client principal’s claims from the client’s account domain. This setting should only be enabled if the file server is using user claims to control access to files, and if the file server will support client principals whose accounts might be in a domain that has client computers and domain controllers running a version of Windows prior to Windows 8 or Windows Server 2012.

When enabled, this security setting causes the Windows file server to examine the access token of an authenticated network client principal and determines if claim information is present. If claims aren't present, the file server will then use the Kerberos S4U2Self feature to attempt to contact a Windows Server 2012 domain controller in the client’s account domain and obtain a claims-enabled access token for the client principal. A claims-enabled token might be needed to access files or folders that have claim-based access control policy applied.

If this setting is disabled, the Windows file server won't attempt to obtain a claim-enabled access token for the client principal.

Possible values

  • Default

    The Windows file server will examine the access token of an authenticated network client principal and determine if claim information is present.

  • Enabled

    Same as Default.

  • Disabled

  • Not defined

    Same as Disabled.

Best practices

This setting should be set to Default so that the file server can automatically evaluate whether claims are needed for the user. You should explicitly configure this setting to Enabled only if there are local file access policies that include user claims.

Location

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

Default values

The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.

Server type or GPO Default value
Default Domain Policy Not defined
Default Domain Controller Policy Not defined
Stand-Alone Server Default Settings Not defined
DC Effective Default Settings Disabled
Member Server Effective Default Settings Disabled
Client Computer Effective Default Settings Disabled

Policy management

This section describes features and tools that are available to help you manage this policy.

Restart requirement

None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy.

Group Policy

This setting should only be enabled if the file server is using user claims to control access to files, and if the file server will support client principals whose accounts might be in a domain that has client computers and domain controllers running a version of Windows prior to Windows 8 or Windows Server 2012.

Security considerations

This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.

Vulnerability

None. Enabling this policy setting allows you to take advantage of features in Windows Server 2012 and Windows 8 and later for specific scenarios to use claims-enabled tokens to access files or folders that have claim-based access control policy applied on Windows operating systems prior to Windows Server 2012 and Windows 8.

Countermeasure

Not applicable.

Potential impact

None.