//+-----------------------------------------------------------------------
//
// Copyright (c) 1990-1999 Microsoft Corporation
//
// File: KERBCON.H
//
// Contents: Microsoft Kerberos constants
//
//
// History: 25 Feb 92 RichardW Compiled from other files
//
//------------------------------------------------------------------------
#ifndef __KERBCON_H__
#define __KERBCON_H__
#if _MSC_VER > 1000
#pragma once
#endif
// begin_ntsecapi
// Revision of the Kerberos Protocol. MS uses Version 5, Revision 6
#define KERBEROS_VERSION 5
#define KERBEROS_REVISION 6
// Encryption Types:
// These encryption types are supported by the default MS KERBSUPP DLL
// as crypto systems. Values over 127 are local values, and may be changed
// without notice.
#define KERB_ETYPE_NULL 0
#define KERB_ETYPE_DES_CBC_CRC 1
#define KERB_ETYPE_DES_CBC_MD4 2
#define KERB_ETYPE_DES_CBC_MD5 3
// end_ntsecapi
#define KERB_ETYPE_OLD_RC4_MD4 128
#define KERB_ETYPE_OLD_RC4_PLAIN 129
#define KERB_ETYPE_OLD_RC4_LM 130
#define KERB_ETYPE_OLD_RC4_SHA 131
#define KERB_ETYPE_OLD_DES_PLAIN 132
// begin_ntsecapi
#define KERB_ETYPE_RC4_MD4 -128 // FFFFFF80
#define KERB_ETYPE_RC4_PLAIN2 -129
#define KERB_ETYPE_RC4_LM -130
#define KERB_ETYPE_RC4_SHA -131
#define KERB_ETYPE_DES_PLAIN -132
#define KERB_ETYPE_RC4_HMAC_OLD -133 // FFFFFF7B
#define KERB_ETYPE_RC4_PLAIN_OLD -134
#define KERB_ETYPE_RC4_HMAC_OLD_EXP -135
#define KERB_ETYPE_RC4_PLAIN_OLD_EXP -136
#define KERB_ETYPE_RC4_PLAIN -140
#define KERB_ETYPE_RC4_PLAIN_EXP -141
//
// Pkinit encryption types
//
#define KERB_ETYPE_DSA_SHA1_CMS 9
#define KERB_ETYPE_RSA_MD5_CMS 10
#define KERB_ETYPE_RSA_SHA1_CMS 11
#define KERB_ETYPE_RC2_CBC_ENV 12
#define KERB_ETYPE_RSA_ENV 13
#define KERB_ETYPE_RSA_ES_OEAP_ENV 14
#define KERB_ETYPE_DES_EDE3_CBC_ENV 15
//
// Deprecated
//
#define KERB_ETYPE_DSA_SIGN 8
#define KERB_ETYPE_RSA_PRIV 9
#define KERB_ETYPE_RSA_PUB 10
#define KERB_ETYPE_RSA_PUB_MD5 11
#define KERB_ETYPE_RSA_PUB_SHA1 12
#define KERB_ETYPE_PKCS7_PUB 13
//
// In use types
//
#define KERB_ETYPE_DES_CBC_MD5_NT 20
#define KERB_ETYPE_RC4_HMAC_NT 23
#define KERB_ETYPE_RC4_HMAC_NT_EXP 24
// Checksum algorithms.
// These algorithms are keyed internally for our use.
#define KERB_CHECKSUM_NONE 0
#define KERB_CHECKSUM_CRC32 1
#define KERB_CHECKSUM_MD4 2
#define KERB_CHECKSUM_KRB_DES_MAC 4
#define KERB_CHECKSUM_KRB_DES_MAC_K 5
#define KERB_CHECKSUM_MD5 7
#define KERB_CHECKSUM_MD5_DES 8
#define KERB_CHECKSUM_LM -130
#define KERB_CHECKSUM_SHA1 -131
#define KERB_CHECKSUM_REAL_CRC32 -132
#define KERB_CHECKSUM_DES_MAC -133
#define KERB_CHECKSUM_DES_MAC_MD5 -134
#define KERB_CHECKSUM_MD25 -135
#define KERB_CHECKSUM_RC4_MD5 -136
#define KERB_CHECKSUM_MD5_HMAC -137 // used by netlogon
#define KERB_CHECKSUM_HMAC_MD5 -138 // used by Kerberos
#define AUTH_REQ_ALLOW_FORWARDABLE 0x00000001
#define AUTH_REQ_ALLOW_PROXIABLE 0x00000002
#define AUTH_REQ_ALLOW_POSTDATE 0x00000004
#define AUTH_REQ_ALLOW_RENEWABLE 0x00000008
#define AUTH_REQ_ALLOW_NOADDRESS 0x00000010
#define AUTH_REQ_ALLOW_ENC_TKT_IN_SKEY 0x00000020
#define AUTH_REQ_ALLOW_VALIDATE 0x00000040
#define AUTH_REQ_VALIDATE_CLIENT 0x00000080
#define AUTH_REQ_OK_AS_DELEGATE 0x00000100
#define AUTH_REQ_PREAUTH_REQUIRED 0x00000200
#define AUTH_REQ_TRANSITIVE_TRUST 0x00000400
#define AUTH_REQ_PER_USER_FLAGS (AUTH_REQ_ALLOW_FORWARDABLE | \
AUTH_REQ_ALLOW_PROXIABLE | \
AUTH_REQ_ALLOW_POSTDATE | \
AUTH_REQ_ALLOW_RENEWABLE | \
AUTH_REQ_ALLOW_VALIDATE )
//
// Ticket Flags:
//
#define KERB_TICKET_FLAGS_reserved 0x80000000
#define KERB_TICKET_FLAGS_forwardable 0x40000000
#define KERB_TICKET_FLAGS_forwarded 0x20000000
#define KERB_TICKET_FLAGS_proxiable 0x10000000
#define KERB_TICKET_FLAGS_proxy 0x08000000
#define KERB_TICKET_FLAGS_may_postdate 0x04000000
#define KERB_TICKET_FLAGS_postdated 0x02000000
#define KERB_TICKET_FLAGS_invalid 0x01000000
#define KERB_TICKET_FLAGS_renewable 0x00800000
#define KERB_TICKET_FLAGS_initial 0x00400000
#define KERB_TICKET_FLAGS_pre_authent 0x00200000
#define KERB_TICKET_FLAGS_hw_authent 0x00100000
#define KERB_TICKET_FLAGS_ok_as_delegate 0x00040000
#define KERB_TICKET_FLAGS_name_canonicalize 0x00010000
#define KERB_TICKET_FLAGS_cname_in_pa_data 0x00040000
#define KERB_TICKET_FLAGS_reserved1 0x00000001
// end_ntsecapi
//
// Policy
//
#define KERBDEF_MAX_TICKET 10 // hours
#define KERBDEF_MAX_RENEW 7 // days
#define KERBDEF_MAX_SERVICE 600 // minutes
#define KERBDEF_MAX_CLOCK 5 // minutes
#define KERBDEF_VALIDATE 1 // yes
#define KDC_AUDIT_AS_SUCCESS 0x1
#define KDC_AUDIT_AS_FAILURE 0x2
#define KDC_AUDIT_TGS_SUCCESS 0x4
#define KDC_AUDIT_TGS_FAILURE 0x8
#define KDC_AUDIT_MAP_SUCCESS 0x10
#define KDC_AUDIT_MAP_FAILURE 0x20
#define KDC_MAKE_STATE(AuthFlag, AuditFlag) (((AuditFlag) << 16) | ((AuthFlag) & 0xffff))
#define KDC_AUTH_STATE(StateFlags) ((StateFlags) & 0xffff)
#define KDC_AUDIT_STATE(StateFlags) ((StateFlags) >> 16)
// begin_ntsecapi
//
// Name types
//
#define KRB_NT_UNKNOWN 0 // Name type not known
#define KRB_NT_PRINCIPAL 1 // Just the name of the principal as in DCE, or for users
#define KRB_NT_PRINCIPAL_AND_ID -131 // Name of the principal and its SID.
#define KRB_NT_SRV_INST 2 // Service and other unique instance (krbtgt)
#define KRB_NT_SRV_INST_AND_ID -132 // SPN and SID
#define KRB_NT_SRV_HST 3 // Service with host name as instance (telnet, rcommands)
#define KRB_NT_SRV_XHST 4 // Service with host as remaining components
#define KRB_NT_UID 5 // Unique ID
#define KRB_NT_ENTERPRISE_PRINCIPAL 10 // UPN or SPN
#define KRB_NT_ENT_PRINCIPAL_AND_ID -130 // UPN and SID
//
// MS extensions, negative according to the RFC
//
#define KRB_NT_MS_PRINCIPAL -128 // NT4 style name
#define KRB_NT_MS_PRINCIPAL_AND_ID -129 // nt4 style name with sid
#define KERB_IS_MS_PRINCIPAL(_x_) (((_x_) <= KRB_NT_MS_PRINCIPAL) || ((_x_) >= KRB_NT_ENTERPRISE_PRINCIPAL))
// end_ntsecapi
#endif // __KERBCON_H__