3.1.5.11 RemoteCallKerbSignS4UPreauthData

The RemoteCallKerbSignS4UPreauthData call uses the Kerberos SignS4UPreauthData message (section 2.2.2.1.11) to perform a keyed hash of the S4U pre-authentication data of the type PA-FOR-X509-USER ([KERB-PARAM]). The result is used for integrity checks on the ticket request by the KDC.

To perform this message exchange, the CredSSP server MUST send a KerbCredIsoRemoteInput object to the CredSSP client. The CallId field MUST be set to RemoteCallKerbSignS4UPreauthData, and the SignS4UPreauthData member of the union MUST be populated.

To reply to the preceding input message, the CredSSP client MUST respond with a KerbCredIsoRemoteOutput object. The CallId field MUST be set to RemoteCallKerbSignS4UPreauthData, and the SignS4UPreauthData member of the union MUST be populated.