2.2.1.4.19 NETLOGON_TICKET_LOGON_INFO

The NETLOGON_TICKET_LOGON_INFO message is used by Kerberos to invoke the network ticket logon flow. In this flow, it calls Netlogon with the ticket which relays the ticket to the issuing domain in the same fashion as generic passthrough. Afterwards, the NETLOGON_VALIDATION_TICKET_LOGON message (section 2.2.1.4.20) then processes the validation.

The encoded data SHOULD be sent using the network logon mechanism (section 3.2.4.2).

The NETLOGON_TICKET_LOGON_INFO message is defined as follows.

 typedef struct _NETLOGON_TICKET_LOGON_INFO {
     NETLOGON_LOGON_IDENTITY_INFO Identity; 
     ULONGLONG RequestOptions;    
     ULONG ServiceTicketLength;
     [size_is(ServiceTicketLength)] PUCHAR ServiceTicket;
     ULONG AdditionalTicketLength;
     [size_is(AdditionalTicketLength)] PUCHAR AdditionalTicket;
 } NETLOGON_TICKET_LOGON_INFO, *PNETLOGON_TICKET_LOGON_INFO;

Identity: A NETLOGON_LOGON_IDENTITY_INFO structure (see section 2.2.1.4.15).

RequestOptions: An unsigned 64-bit integer that is treated as a four 16-bit fields.


0


1


2


3


4


5


6


7


8


9

1
0


1


2


3


4


5


6


7


8


9

2
0


1


2


3


4


5


6


7


8


9

3
0


1

KerberosOptions

TransitOptions

ComputerDomainOptions

CriticalOptions

KerberosOptions (2 bytes): An unsigned 16-bit integer that groups together flags for operations performed by the KDC in the ticket's issuing realm. There are two flags: SkipPacSignatures and RemoveResourceGroups.

0

1

2

3

4

5

6

7

8

9

1

0

1

2

3

4

5

X

X

X

X

X

X

X

X

X

X

X

X

X

X

A

B

A - RemoveResourceGroups (1 bit): When set, remove the resource groups.

B - SkipPacSignatures (1 bit): When set, does not verify signatures present in the PAC.

TransitOptions (2 bytes): An unsigned 16-bit integer that groups together flags for operations performed by Netlogon at every hop. The flags are SkipSIDFilter and SkipNamespaceFilter.

0

1

2

3

4

5

6

7

8

9

1

0

1

2

3

4

5

X

X

X

X

X

X

X

X

X

X

X

X

X

X

A

B

A - SkipNameSpaceFiltering (1 bit): When set, the user domain is not filtered against the trust domain namespace.

B - SkipSidFiltering (1 bit): When set, no SID filtering is performed and no claims are transformed.

ComputerDomainOptions (2 bytes): An unsigned 16-bit integer that groups together flags for operations performed by Netlogon in the computer's domain. The flags are SkipResourceGroups and SkipA2AChecks.

0

1

2

3

4

5

6

7

8

9

1

0

1

2

3

4

5

X

X

X

X

X

X

X

X

X

X

X

X

X

X

A

B

A – SkipA2AChecks (1 bit): When set, indicates that A2A and A2ATo checks are not to be performed.

B – SkipResourceGroups (1 bit): When set, indicates that resource groups in the computer’s domain are not to be added.

CriticalOptions (2 bytes): An unsigned 16-bit integer that groups together flags that MUST be understood to parse the rest of the request. The only defined flag is NoAuthorizationData.

0

1

2

3

4

5

6

7

8

9

1

0

1

2

3

4

5

X

X

X

X

X

X

X

X

X

X

X

X

X

X

X

A

A – NoAuthorizationData (1 bit): When set, indicates that the ticket is to be checked but that authorization information is not to be returned.

ServiceTicketLength:            An unsigned long that is the length of the service ticket.

ServiceTicket:            A pointer to an unsigned character array containing the service ticket.

AdditionalTicketLength: An unsigned long that is the length of the Kerberos service ticket that is the source of authorization.

AdditionalTicket: A pointer to an unsigned character array containing the additional service ticket. If the service ticket is a User2User ticket then the ticket-granting ticket (TGT) used as the source of the session key MUST also be provided.

  • Last updated on