3.2.5.1 Receiving a KDC_PROXY_MESSAGE

When the KKDCP server receives the KDC_PROXY_MESSAGE (section 2.2.2), it SHOULD:

  1. Validate that the KDC_PROXY_MESSAGE.kerb-message is a well-formed Kerberos message. If not, then the KKDCP server SHOULD drop the connection and stop processing.

  2. If target-domain is not present, return ERROR_BAD_FORMAT.

  3. Before the KKDCP server can send a Kerberos message, it MUST discover the KDC to which the message will be sent. The KKDCP server SHOULD perform the equivalent of calling DsrGetDcNameEx2 ([MS-NRPC] section 3.5.4.3.1) where:

    • AllowableAccountControlBits has bits A, B, C, D, E, and F set.

    • DomainName is TargetDomain.

    • Flags is KDC_PROXY_MESSAGE.dclocator-hint. If there is no dclocator-hint in the message, Flags has bits G and H set.

      • If the Kerberos message is "FAST armored", then also set bit U.

    • All other fields are set to NULL.

  4. Return the IP address of the DC in DomainControllerInfo.DomainControllerAddress.

  5. Send the KDC_PROXY_MESSAGE.kerb-message to the KDC.