Accessing claims-enabled file shares on Windows 8

A new policy setting on Windows 8 and Windows Server 2012 is intended to support clients running a version of Windows prior to Windows 8 that are trying to access a file share that requires user claims. This policy setting may be needed where there are local file access policies that include user claims.

 This setting determines whether the local file server will attempt to use Kerberos Service-For-User-To-Self (S4U2Self) functionality to obtain a network client principal’s claims from the client’s account domain. This setting should only be set to enabled if the file server is using user claims to control access to files, and if the file server will support client principals whose accounts may be in a domain which has client computers and domain controllers running a version of Windows prior to Windows 8.

For further information how claims based identity works go here –

To configure this policy setting on a single Windows 8 computer, open the Local Group Policy Editor snap-in by typing gpedit.msc in the Apps search text box and then clicking the gpedit App icon.

  • Go to Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options node.
  • Double click Microsoft network server: Attempt S4U2Self to obtain claim information.
  • Choose an option from the drop-down list.
  • Click Apply and OK.

The default setting is Automatic, however there are instances when it is not defined.

When Enabled – the Windows file server will examine the access token of an authenticated network client principal and determine if claim information is present. If claims are not present the file server will then use the Kerberos S4U2Self feature to attempt to contact a Windows Server 2012 domain controller in the client’s account domain, and obtain a claims-enabled access token for the client principal. A claims-enabled token may be needed to access files or folders which have claim-based access control policy applied.

When Disabled – the Windows file server will not attempt to obtain a claim-enabled access token for the client principal.