3.1.5.13 RemoteCallKerbDecryptPacCredentials

The RemoteCallKerbDecryptPacCredentials call uses the Kerberos DecryptPacCredentials message (section 2.2.2.1.13) to decrypt the supplemental credentials that are returned in the PAC [MS-PAC] by the KDC. The credentials are then re-encrypted with a connection-specific key, making them usable only with the same CredSSP client that decrypted them. This guards against attackers on the CredSSP server who may be scanning memory for such credentials.

To perform this message exchange, the CredSSP server MUST send a KerbCredIsoRemoteInput object to the CredSSP client. The CallId field MUST be set to RemoteCallKerbDecryptPacCredentials, and the DecryptPacCredentials member of the union MUST be populated.

To reply to the preceding input message, the CredSSP client MUST respond with a KerbCredIsoRemoteOutput object. The CallId field MUST be set to RemoteCallKerbDecryptPacCredentials, and the DecryptPacCredentials member of the union MUST be populated.