3.1.5.1 ProxyMessage() Call
Inputs:
Input_kerb_message OCTET STRING
Target_domain KERB-REALM - optional
dclocator-hint INTEGER - optional
Outputs:
Output_kerb_message OCTET STRING
The ProxyMessage() call enables Kerberos clients to pass Kerberos messages and realm data to the KKDCP client to proxy.
The KKDCP client SHOULD:
Establish an HTTPS connection using KKDCPServerURL.
Create a KDC_PROXY_MESSAGE (section 2.2.2) where:
-
kerb-message is set to KerberosMessage (section 3.1.1).
-
target-domain is set to the realm field of the Kerberos message ([RFC4120] section 5.4.1).
-
dclocator-hint: If the Kerberos client used only Flags G and H in DsrGetDcNameEx2 ([MS-NRPC] section 3.5.4.3.1) when attempting to locate the domain controller, then this setting is not used. Otherwise, it is set to the Flags used.
Send the KDC_PROXY_MESSAGE using the HTTPS connection to the KKDCP server.
If the KKDCP client receives:
A Kerberos message reply, the client SHOULD set Output_kerb_message to KerberosMessage (section 3.1.1) and return SUCCESS.
Otherwise, the client SHOULD return Error, and SHOULD NOT return Output_kerb_message.