Nota
L'accesso a questa pagina richiede l'autorizzazione. È possibile provare ad accedere o modificare le directory.
L'accesso a questa pagina richiede l'autorizzazione. È possibile provare a modificare le directory.
Network ticket logon is offered as an update to PAC validation. Use network ticket logon if the service process is untrusted, or if the service is in a different domain than the computer.
If at any point, error STATUS_INVALID_INFO_CLASS or error RPC_NT_BAD_STUB_DATA occurs (see [MS-ERREF] section 2.3.1 for both), the chain of domain controllers does not support this form of validation and the client MUST use the PAC form of validation.
Broadly, there are five major steps in the network ticket logon process:
The Kerberos client prepares and makes a request (see [MS-APDS] sections 3.2.5.1 and 3.2.5.2)
Netlogon delivers the request (see section 3.2.4.2.1)
The Key Distribution Center (KDC) processes the request and sends a reply (see [MS-KILE] section 3.3.5.8.1)
Netlogon processes the reply and sends it to the client (see section 3.2.4.2.2)
The Kerberos client receives the reply (see [MS-APDS] section 3.2.5.4)
Depending on the network, there can be several hops—for example, the recipient receives the request and relays it to another domain controller (DC)—involved before the request arrives at the appropriate domain controller. For an example, see the figure "Pass-through authentication and domain trusts" in section 1.3.2. Ingress and egress filtering are performed at each hop.
Note: If, at any point in processing, required bits of the response message are unrecognized, the request fails.