2.2.2.1.13 DecryptPacCredentials

The DecryptPacCredentials structure is used to decrypt the supplemental credentials that are returned in the PAC ([MS-PAC]) by the KDC in a reply message. For more details see section 3.1.5.13.

When populating this field of the KerbCredIsoRemoteInput structure, the CallId field MUST be set to RemoteCallKerbDecryptPacCredentials.

 struct
 {
     KERB_RPC_ENCRYPTION_KEY* Key;
     ULONG Version;
     ULONG EncryptionType;
     ULONG DataSize;
     [size_is(DataSize)] UCHAR* Data;
 } DecryptPacCredentials;

Key: A pointer to a KERB_RPC_ENCRYPTION_KEY structure (section 2.2.1.2.8) that contains the key needed to decrypt the credentials.

Version: A ULONG that indicates the version in the PAC_CREDENTIAL_INFO structure Version field ([MS-PAC] section 2.6.1), as supplied in the Privilege Attribute Certificate (PAC).

EncryptionType: A ULONG that indicates the Kerberos etype used for encryption. Kerberos parameters are documented in [KERB-PARAM].

DataSize: A ULONG that indicates the size of the credentials from a PAC_CREDENTIAL_INFO structure.

Data: The credential data from a PAC_CREDENTIAL_INFO structure SerializedData field.

When populating this field of the KerbCredIsoRemoteOutput structure, the CallId field MUST be set to RemoteCallKerbDecryptPacCredentials.

 struct
 {
     PSECPKG_SUPPLEMENTAL_CRED_ARRAY Credentials;
 } DecryptPacCredentials;

Credentials: A pointer to a SECPKG_SUPPLEMENTAL_CRED_ARRAY structure (section 2.2.1.2.7) that contains the decoded array of credentials supplied by the KDC.