2.2.2.1.3 VerifyServiceTicket
The VerifyServiceTicket structure is used to decrypt and validate a service ticket reply from the KDC ([RFC4120] section 5.3). It is used to verify that the given service ticket is valid within the given skew. The encrypted part of the reply data is decrypted for the caller.
When populating this field of the KerbCredIsoRemoteInput structure, the CallId field MUST be set to RemoteCallKerbVerifyServiceTicket.
-
struct { KERB_ASN1_DATA* PackedTicket; KERB_RPC_ENCRYPTION_KEY* ServiceKey; PLARGE_INTEGER TimeSkew; // optional } VerifyServiceTicket;
PackedTicket: A pointer to a KERB_ASN1_DATA structure (section 2.2.1.2.1) that contains the DER-encoded Kerberos ticket to be verified and decrypted.
ServiceKey: A pointer to a KERB_RPC_ENCRYPTION_KEY structure (section 2.2.1.2.8) that contains the key required to decrypt the ticket.
TimeSkew: Optional. A pointer to a LARGE_INTEGER that contains the allowed time drift between a client and the KDC. This is utilized for ticket validity checks based on the system time and ticket start and expiration times.
When populating this field of the KerbCredIsoRemoteOutput structure, the CallId field MUST be set to RemoteCallKerbVerifyServiceTicket.
-
struct { KERB_ASN1_DATA DecryptedTicket; LONG KerbProtocolError; } VerifyServiceTicket;
DecryptedTicket: A KERB_ASN1_DATA structure that contains the decrypted EncTicketPart of the input Kerberos ticket.
KerbProtocolError: A LONG type that contains the validation result, as expressed by one of the error codes defined by [RFC4120] section 7.5.9.