2.2.2.1 NETLOGON_TICKET_LOGON_INFO Message
The NETLOGON_TICKET_LOGON_INFO message is used by Kerberos to invoke the network ticket logon flow. In this flow, it calls Netlogon with the ticket which relays the ticket to the issuing domain in the same fashion as generic passthrough. The NETLOGON_VALIDATION_TICKET_LOGON message (section 2.2.3.1) then processes the validation. This message is defined with the following fields.
|
|
|
|
|
|
|
|
|
|
1 |
|
|
|
|
|
|
|
|
|
2 |
|
|
|
|
|
|
|
|
|
3 |
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
CriticalOptions |
ComputerDomainOptions |
||||||||||||||||||||||||||||||
|
TransitOptions |
KerberosOptions |
||||||||||||||||||||||||||||||
|
ServiceTicketLength |
|||||||||||||||||||||||||||||||
|
ServiceTicket (variable) |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
|
AdditionalTicketLength |
|||||||||||||||||||||||||||||||
|
AdditionalTicket (variable) |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
CriticalOptions (2 bytes): A USHORT that contains flags that must be understood to parse the rest of the request. The following flag is defined.
-
Value
Meaning
NoAuthorizationData
0x0000
Only check the ticket; don't return authorization data.
ComputerDomainOptions (2 bytes): A USHORT that contains operations performed by Netlogon in the computer's domain. The following operations are defined.
-
Value
Meaning
SkipResourceGroups
0x0010
Don't add resource groups from the computer's domain.
SkipA2AChecks
0x0011
Don't perform check A2A and A2ATo access checks.
TransitOptions (2 bytes): A USHORT that contains operations performed by Netlogon at every hop. The following operations are defined.
-
Value
Meaning
SkipSIDFilter
0x0020
Don't SIDs and transform claims.
SkipNamespaceFilter
0x0021
Don't filter the user domain against the trust's namespace.
KerberosOptions (2 bytes): A USHORT that contains operations performed by the KDC in the ticket's issuing realm. The following operations are defined.
-
Value
Meaning
SkipPacSignatures
0x0030
Don't verify signatures present in the PAC.
RemoveResourceGroups
0x0031
Strip resource groups from the service ticket.
ServiceTicketLength (4 bytes): A ULONG that contains the length of the preceding service ticket.
ServiceTicket (variable): A pointer to a UCHAR. The Kerberos service ticket that's the source of authorization information.
AdditionalTicketLength (4 bytes): A ULONG that contains the length of the preceding additional ticket.
AdditionalTicket (variable): A pointer to a UCHAR. If the service ticket is a User2User ticket then the TGT used as the source of the session key must also be provided.