3.1.5.1 ProxyMessage() Call

  • Article

Inputs:

  • Input_kerb_message OCTET STRING

  • Target_domain KERB-REALM - optional

  • dclocator-hint INTEGER - optional

Outputs:

  • Output_kerb_message OCTET STRING

The ProxyMessage() call enables Kerberos clients to pass Kerberos messages and realm data to the KKDCP client to proxy.

The KKDCP client SHOULD:

Establish an HTTPS connection using KKDCPServerURL.

Create a KDC_PROXY_MESSAGE (section 2.2.2) where:

kerb-message is set to KerberosMessage (section 3.1.1).

target-domain is set to the realm field of the Kerberos message ([RFC4120] section 5.4.1).

dclocator-hint: If the Kerberos client used only Flags G and H in DsrGetDcNameEx2 ([MS-NRPC] section 3.5.4.3.1) when attempting to locate the domain controller, then this setting is not used. Otherwise, it is set to the Flags used.

Send the KDC_PROXY_MESSAGE using the HTTPS connection to the KKDCP server.

If the KKDCP client receives:

  • A Kerberos message reply, the client SHOULD set Output_kerb_message to KerberosMessage (section 3.1.1) and return SUCCESS.

  • Otherwise, the client SHOULD return Error, and SHOULD NOT return Output_kerb_message.