3.1.5.10 RemoteCallKerbHashS4UPreauth

The RemoteCallKerbHashS4UPreauth call uses the Kerberos HashS4UPreauth message (section 2.2.2.1.10) to perform a keyed hash of the S4U pre-authentication data of the type PA-FOR_USER ([KERB-PARAM]). The result is used for integrity checks on the ticket request by the KDC.

To perform this message exchange, the CredSSP server MUST send a KerbCredIsoRemoteInput object to the CredSSP client. The CallId field MUST be set to RemoteCallKerbHashS4UPreauth, and the HashS4UPreauth member of the union MUST be populated.

To reply to the preceding input message, the CredSSP client MUST respond with a KerbCredIsoRemoteOutput object. The CallId field MUST be set to RemoteCallKerbHashS4UPreauth, and the HashS4UPreauth member of the union MUST be populated.