2.2.2.1.4 CreateApReqAuthenticator
The CreateApReqAuthenticator structure is used to create an authenticator for inclusion in a KRB_AP_REQ message ([RFC4120] section 5.5.1).
When populating this field of the KerbCredIsoRemoteInput structure, the CallId field MUST be set to RemoteCallKerbCreateApReqAuthenticator.
-
struct { KERB_RPC_ENCRYPTION_KEY* EncryptionKey; ULONG SequenceNumber; KERB_RPC_INTERNAL_NAME* ClientName; PRPC_UNICODE_STRING ClientRealm; PLARGE_INTEGER SkewTime; KERB_RPC_ENCRYPTION_KEY* SubKey; // optional KERB_ASN1_DATA* AuthData; // optional KERB_ASN1_DATA* GssChecksum; // optional ULONG KeyUsage; } CreateApReqAuthenticator;
EncryptionKey: A pointer to a KERB_RPC_ENCRYPTION_KEY structure (section 2.2.1.2.8) that is the opaque structure associated with the key that the CredSSP server uses to build the authenticator. The exact format of this structure is CredSSP client dependent. The key comes from a previous UnpackKdcReplyBody output message (section 2.2.2.1.6).
SequenceNumber: A ULONG type that contains the replay detection sequence number.
ClientName: A pointer to a KERB_RPC_INTERNAL_NAME structure (section 2.2.1.2.3) that contains the name of the initiating principal.
ClientRealm: A pointer to an RPC_UNICODE_STRING structure ([MS-DTYP] section 2.3.10) that contains the realm/domain of the initiating principal.
SkewTime: A pointer to a LARGE_INTEGER that contains the time adjustment, if any, to account for clock drift from KDC.
SubKey: Optional. A pointer to a KERB_RPC_ENCRYPTION_KEY structure (section 2.2.1.2.8) that contains the sub-session key negotiated with KDC as defined in [RFC4120] section 1.7.
AuthData: Optional. A pointer to a KERB_ASN1_DATA structure (section 2.2.1.2.1) that contains additional authentication data.
GssChecksum: Optional. A pointer to a KERB_ASN1_DATA structure that contains the checksum of application data associated with a request.
KeyUsage: A ULONG number used to alter the encryption key. MUST be one of the following values from [RFC4120] section 7.5.1.
-
Meaning
3
KRB_AS_REP key usage number.
8
KRB_TGS_REP key usage number.
When populating this field of the KerbCredIsoRemoteOutput structure, the CallId field MUST be set to RemoteCallKerbCreateApReqAuthenticator.
-
struct { LARGE_INTEGER AuthenticatorTime; KERB_ASN1_DATA Authenticator; LONG KerbProtocolError; } CreateApReqAuthenticator;
AuthenticatorTime: A LARGE_INTEGER that contains the timestamp used in the authenticator.
Authenticator: A KERB_ASN1_DATA structure that is the DER-encoded Kerberos EncryptedData structure containing an authenticator to be included in a KRB_AP_REQ message ([RFC4120] section 5.5.1).
KerbProtocolError: A LONG that contains any protocol-level errors that occur while building the authenticator, as expressed by one of the error codes defined in [RFC4120] section 7.5.9