3.1.1.8.11.4 Primary:Kerberos Property

When an update to supplementalCredentials occurs, the server MUST create a KERB_STORED_CREDENTIAL-structured value as specified below. This value MUST then be placed in a USER_PROPERTY structure along with the property name "Primary:Kerberos". Finally, the resulting USER_PROPERTY-structured value MUST be added to the list of properties within supplementalCredentials according to section 3.1.1.8.11.1.1.

KERB_STORED_CREDENTIAL is a variable-length structure starting with a KERB_STORED_CREDENTIAL structure, followed by two or four KERB_KEY_DATA structures, followed by a salt value and two or four key values. The salt and key values are referenced from the KERB_STORED_CREDENTIAL and KERB_KEY_DATA structures.

Revision, Flags, DefaultSaltLength, DefaultSaltMaximumLength, and DefaultSaltOffset MUST be set as specified in section 2.2.10.4. DefaultSaltOffset, for example, is the offset of the "DefaultSalt value" section from the start of the Revision field.<34>

The server MUST calculate two hash forms of the cleartext password, as specified in [RFC3961] sections 6.2.1 and 6.2.3. Call these values Key1 and Key2.

The first two KERB_KEY_DATA MUST be set to hold Key1 and Key2. Key1 and Key2 MUST be added to the end of the structure.

If there are existing KERB_KEY_DATA elements in the property prior to the current update, these elements MUST be copied into the third and fourth KERB_KEY_DATA elements. Call the associated key values of these KERB_KEY_DATA structures Key3 and Key4. Key3 and Key4 MUST be added to the end of the structure.<35>

If there are no existing KERB_KEY_DATA elements in the property prior to the current update, the resulting KERB_STORED_CREDENTIAL in the third and fourth optional KERB_KEY_DATA elements are excluded from the resulting value (and Key3 and Key4, from the preceding paragraph, are also excluded).