//+----------------------------------------------------------------------- // // Copyright (c) 1990-1999 Microsoft Corporation // // File: KERBEROS.H // // Contents: Public Kerberos Security Package structures for use // with APIs from SECURITY.H // // // History: 26 Feb 92, RichardW Compiled from other files // //------------------------------------------------------------------------ #ifndef __KERBEROS_H__ #define __KERBEROS_H__ #if _MSC_VER > 1000 #pragma once #endif #include #include // begin_ntsecapi #ifndef MICROSOFT_KERBEROS_NAME_A #define MICROSOFT_KERBEROS_NAME_A "Kerberos" #define MICROSOFT_KERBEROS_NAME_W L"Kerberos" #ifdef WIN32_CHICAGO #define MICROSOFT_KERBEROS_NAME MICROSOFT_KERBEROS_NAME_A #else #define MICROSOFT_KERBEROS_NAME MICROSOFT_KERBEROS_NAME_W #endif // WIN32_CHICAGO #endif // MICROSOFT_KERBEROS_NAME_A // end_ntsecapi typedef struct _KERB_INIT_CONTEXT_DATA { LARGE_INTEGER StartTime; // Start time LARGE_INTEGER EndTime; // End time LARGE_INTEGER RenewUntilTime; // Renew until time ULONG TicketOptions; // From krb5.h ULONG RequestOptions; // Options on what to return } KERB_INIT_CONTEXT_DATA, *PKERB_INIT_CONTEXT_DATA; #define KERB_INIT_RETURN_TICKET 0x1 // return raw ticket #define KERB_INIT_RETURN_MIT_AP_REQ 0x2 // return MIT style AP request // begin_ntsecapi ///////////////////////////////////////////////////////////////////////// // // Quality of protection parameters for MakeSignature / EncryptMessage // ///////////////////////////////////////////////////////////////////////// // // This flag indicates to EncryptMessage that the message is not to actually // be encrypted, but a header/trailer are to be produced. // #define KERB_WRAP_NO_ENCRYPT 0x80000001 ///////////////////////////////////////////////////////////////////////// // // LsaLogonUser parameters // ///////////////////////////////////////////////////////////////////////// typedef enum _KERB_LOGON_SUBMIT_TYPE { KerbInteractiveLogon = 2, KerbSmartCardLogon = 6, KerbWorkstationUnlockLogon = 7, KerbSmartCardUnlockLogon = 8, KerbProxyLogon = 9, KerbTicketLogon = 10, KerbTicketUnlockLogon = 11, KerbS4ULogon = 12 } KERB_LOGON_SUBMIT_TYPE, *PKERB_LOGON_SUBMIT_TYPE; typedef struct _KERB_INTERACTIVE_LOGON { KERB_LOGON_SUBMIT_TYPE MessageType; UNICODE_STRING LogonDomainName; UNICODE_STRING UserName; UNICODE_STRING Password; } KERB_INTERACTIVE_LOGON, *PKERB_INTERACTIVE_LOGON; typedef struct _KERB_INTERACTIVE_UNLOCK_LOGON { KERB_INTERACTIVE_LOGON Logon; LUID LogonId; } KERB_INTERACTIVE_UNLOCK_LOGON, *PKERB_INTERACTIVE_UNLOCK_LOGON; typedef struct _KERB_SMART_CARD_LOGON { KERB_LOGON_SUBMIT_TYPE MessageType; UNICODE_STRING Pin; ULONG CspDataLength; PUCHAR CspData; } KERB_SMART_CARD_LOGON, *PKERB_SMART_CARD_LOGON; typedef struct _KERB_SMART_CARD_UNLOCK_LOGON { KERB_SMART_CARD_LOGON Logon; LUID LogonId; } KERB_SMART_CARD_UNLOCK_LOGON, *PKERB_SMART_CARD_UNLOCK_LOGON; // // Structure used for a ticket-only logon // typedef struct _KERB_TICKET_LOGON { KERB_LOGON_SUBMIT_TYPE MessageType; ULONG Flags; ULONG ServiceTicketLength; ULONG TicketGrantingTicketLength; PUCHAR ServiceTicket; // REQUIRED: Service ticket "host" PUCHAR TicketGrantingTicket; // OPTIONAL: User's encdoded in a KERB_CRED message, encrypted with session key from service ticket } KERB_TICKET_LOGON, *PKERB_TICKET_LOGON; // // Flags for the ticket logon flags field // #define KERB_LOGON_FLAG_ALLOW_EXPIRED_TICKET 0x1 typedef struct _KERB_TICKET_UNLOCK_LOGON { KERB_TICKET_LOGON Logon; LUID LogonId; } KERB_TICKET_UNLOCK_LOGON, *PKERB_TICKET_UNLOCK_LOGON; // // Used for S4U Client requests // // typedef struct _KERB_S4U_LOGON { KERB_LOGON_SUBMIT_TYPE MessageType; ULONG Flags; UNICODE_STRING ClientUpn; // REQUIRED: UPN for client UNICODE_STRING ClientRealm; // Optional: Client Realm, if known } KERB_S4U_LOGON, *PKERB_S4U_LOGON; // // TBD: Flags for S4UToSelf() logon // // // Use the same profile structure as MSV1_0 // typedef enum _KERB_PROFILE_BUFFER_TYPE { KerbInteractiveProfile = 2, KerbSmartCardProfile = 4, KerbTicketProfile = 6 } KERB_PROFILE_BUFFER_TYPE, *PKERB_PROFILE_BUFFER_TYPE; typedef struct _KERB_INTERACTIVE_PROFILE { KERB_PROFILE_BUFFER_TYPE MessageType; USHORT LogonCount; USHORT BadPasswordCount; LARGE_INTEGER LogonTime; LARGE_INTEGER LogoffTime; LARGE_INTEGER KickOffTime; LARGE_INTEGER PasswordLastSet; LARGE_INTEGER PasswordCanChange; LARGE_INTEGER PasswordMustChange; UNICODE_STRING LogonScript; UNICODE_STRING HomeDirectory; UNICODE_STRING FullName; UNICODE_STRING ProfilePath; UNICODE_STRING HomeDirectoryDrive; UNICODE_STRING LogonServer; ULONG UserFlags; } KERB_INTERACTIVE_PROFILE, *PKERB_INTERACTIVE_PROFILE; // // For smart card, we return a smart card profile, which is an interactive // profile plus a certificate // typedef struct _KERB_SMART_CARD_PROFILE { KERB_INTERACTIVE_PROFILE Profile; ULONG CertificateSize; PUCHAR CertificateData; } KERB_SMART_CARD_PROFILE, *PKERB_SMART_CARD_PROFILE; // // For a ticket logon profile, we return the session key from the ticket // typedef struct KERB_CRYPTO_KEY { LONG KeyType; ULONG Length; PUCHAR Value; } KERB_CRYPTO_KEY, *PKERB_CRYPTO_KEY; typedef struct _KERB_TICKET_PROFILE { KERB_INTERACTIVE_PROFILE Profile; KERB_CRYPTO_KEY SessionKey; } KERB_TICKET_PROFILE, *PKERB_TICKET_PROFILE; typedef enum _KERB_PROTOCOL_MESSAGE_TYPE { KerbDebugRequestMessage = 0, KerbQueryTicketCacheMessage, KerbChangeMachinePasswordMessage, KerbVerifyPacMessage, KerbRetrieveTicketMessage, KerbUpdateAddressesMessage, KerbPurgeTicketCacheMessage, KerbChangePasswordMessage, KerbRetrieveEncodedTicketMessage, KerbDecryptDataMessage, KerbAddBindingCacheEntryMessage, KerbSetPasswordMessage, KerbSetPasswordExMessage, KerbVerifyCredentialsMessage, KerbQueryTicketCacheExMessage, KerbPurgeTicketCacheExMessage, // KerbRetrieveEncodedTicketExMessage, } KERB_PROTOCOL_MESSAGE_TYPE, *PKERB_PROTOCOL_MESSAGE_TYPE; // end_ntsecapi // // Structure for a debuggin requequest // #define KERB_DEBUG_REQ_BREAKPOINT 0x1 #define KERB_DEBUG_REQ_CALL_PACK 0x2 #define KERB_DEBUG_REQ_DATAGRAM 0x3 #define KERB_DEBUG_REQ_STATISTICS 0x4 #define KERB_DEBUG_CREATE_TOKEN 0x5 typedef struct _KERB_DEBUG_REQUEST { KERB_PROTOCOL_MESSAGE_TYPE MessageType; ULONG DebugRequest; } KERB_DEBUG_REQUEST, *PKERB_DEBUG_REQUEST; typedef struct _KERB_DEBUG_REPLY { KERB_PROTOCOL_MESSAGE_TYPE MessageType; UCHAR Data[ANYSIZE_ARRAY]; } KERB_DEBUG_REPLY, *PKERB_DEBUG_REPLY; typedef struct _KERB_DEBUG_STATS { ULONG CacheHits; ULONG CacheMisses; ULONG SkewedRequests; ULONG SuccessRequests; LARGE_INTEGER LastSync; } KERB_DEBUG_STATS, *PKERB_DEBUG_STATS; // begin_ntsecapi // // Used both for retrieving tickets and for querying ticket cache // typedef struct _KERB_QUERY_TKT_CACHE_REQUEST { KERB_PROTOCOL_MESSAGE_TYPE MessageType; LUID LogonId; } KERB_QUERY_TKT_CACHE_REQUEST, *PKERB_QUERY_TKT_CACHE_REQUEST; typedef struct _KERB_TICKET_CACHE_INFO { UNICODE_STRING ServerName; UNICODE_STRING RealmName; LARGE_INTEGER StartTime; LARGE_INTEGER EndTime; LARGE_INTEGER RenewTime; LONG EncryptionType; ULONG TicketFlags; } KERB_TICKET_CACHE_INFO, *PKERB_TICKET_CACHE_INFO; typedef struct _KERB_TICKET_CACHE_INFO_EX { UNICODE_STRING ClientName; UNICODE_STRING ClientRealm; UNICODE_STRING ServerName; UNICODE_STRING ServerRealm; LARGE_INTEGER StartTime; LARGE_INTEGER EndTime; LARGE_INTEGER RenewTime; LONG EncryptionType; ULONG TicketFlags; } KERB_TICKET_CACHE_INFO_EX, *PKERB_TICKET_CACHE_INFO_EX; typedef struct _KERB_QUERY_TKT_CACHE_RESPONSE { KERB_PROTOCOL_MESSAGE_TYPE MessageType; ULONG CountOfTickets; KERB_TICKET_CACHE_INFO Tickets[ANYSIZE_ARRAY]; } KERB_QUERY_TKT_CACHE_RESPONSE, *PKERB_QUERY_TKT_CACHE_RESPONSE; typedef struct _KERB_QUERY_TKT_CACHE_EX_RESPONSE { KERB_PROTOCOL_MESSAGE_TYPE MessageType; ULONG CountOfTickets; KERB_TICKET_CACHE_INFO_EX Tickets[ANYSIZE_ARRAY]; } KERB_QUERY_TKT_CACHE_EX_RESPONSE, *PKERB_QUERY_TKT_CACHE_EX_RESPONSE; // // Types for retrieving encoded ticket from the cache // #ifndef __SECHANDLE_DEFINED__ typedef struct _SecHandle { ULONG_PTR dwLower ; ULONG_PTR dwUpper ; } SecHandle, * PSecHandle ; #define __SECHANDLE_DEFINED__ #endif // __SECHANDLE_DEFINED__ // Ticket Flags #define KERB_USE_DEFAULT_TICKET_FLAGS 0x0 // CacheOptions #define KERB_RETRIEVE_TICKET_DEFAULT 0x0 #define KERB_RETRIEVE_TICKET_DONT_USE_CACHE 0x1 #define KERB_RETRIEVE_TICKET_USE_CACHE_ONLY 0x2 #define KERB_RETRIEVE_TICKET_USE_CREDHANDLE 0x4 #define KERB_RETRIEVE_TICKET_AS_KERB_CRED 0x8 #define KERB_RETRIEVE_TICKET_WITH_SEC_CRED 0x10 // Encryption Type options #define KERB_ETYPE_DEFAULT 0x0 // don't specify etype in tkt req. typedef struct _KERB_AUTH_DATA { ULONG Type; ULONG Length; PUCHAR Data; } KERB_AUTH_DATA, *PKERB_AUTH_DATA; typedef struct _KERB_NET_ADDRESS { ULONG Family; ULONG Length; PCHAR Address; } KERB_NET_ADDRESS, *PKERB_NET_ADDRESS; typedef struct _KERB_NET_ADDRESSES { ULONG Number; KERB_NET_ADDRESS Addresses[ANYSIZE_ARRAY]; } KERB_NET_ADDRESSES, *PKERB_NET_ADDRESSES; // // Types for the information about a ticket // typedef struct _KERB_EXTERNAL_NAME { SHORT NameType; USHORT NameCount; UNICODE_STRING Names[ANYSIZE_ARRAY]; } KERB_EXTERNAL_NAME, *PKERB_EXTERNAL_NAME; typedef struct _KERB_EXTERNAL_TICKET { PKERB_EXTERNAL_NAME ServiceName; PKERB_EXTERNAL_NAME TargetName; PKERB_EXTERNAL_NAME ClientName; UNICODE_STRING DomainName; UNICODE_STRING TargetDomainName; UNICODE_STRING AltTargetDomainName; KERB_CRYPTO_KEY SessionKey; ULONG TicketFlags; ULONG Flags; LARGE_INTEGER KeyExpirationTime; LARGE_INTEGER StartTime; LARGE_INTEGER EndTime; LARGE_INTEGER RenewUntil; LARGE_INTEGER TimeSkew; ULONG EncodedTicketSize; PUCHAR EncodedTicket; } KERB_EXTERNAL_TICKET, *PKERB_EXTERNAL_TICKET; #if 0 typedef struct _KERB_EXTERNAL_TICKET_EX { PKERB_EXTERNAL_NAME ClientName; PKERB_EXTERNAL_NAME ServiceName; PKERB_EXTERNAL_NAME TargetName; UNICODE_STRING ClientRealm; UNICODE_STRING ServerRealm; UNICODE_STRING TargetDomainName; UNICODE_STRING AltTargetDomainName; KERB_CRYPTO_KEY SessionKey; ULONG TicketFlags; ULONG Flags; LARGE_INTEGER KeyExpirationTime; LARGE_INTEGER StartTime; LARGE_INTEGER EndTime; LARGE_INTEGER RenewUntil; LARGE_INTEGER TimeSkew; PKERB_NET_ADDRESSES TicketAddresses; PKERB_AUTH_DATA AuthorizationData; _KERB_EXTERNAL_TICKET_EX * SecondTicket; ULONG EncodedTicketSize; PUCHAR EncodedTicket; } KERB_EXTERNAL_TICKET_EX, *PKERB_EXTERNAL_TICKET_EX; #endif // 0 typedef struct _KERB_RETRIEVE_TKT_REQUEST { KERB_PROTOCOL_MESSAGE_TYPE MessageType; LUID LogonId; UNICODE_STRING TargetName; ULONG TicketFlags; ULONG CacheOptions; LONG EncryptionType; SecHandle CredentialsHandle; } KERB_RETRIEVE_TKT_REQUEST, *PKERB_RETRIEVE_TKT_REQUEST; #if 0 typedef struct _KERB_RETRIEVE_TKT_EX_REQUEST { KERB_PROTOCOL_MESSAGE_TYPE MessageType; LUID LogonId; KERB_TICKET_CACHE_INFO_EX TicketTemplate; ULONG CacheOptions; SecHandle CredentialsHandle; PKERB_EXTERNAL_TICKET_EX SecondTicket; PKERB_AUTH_DATA UserAuthData; PKERB_NET_ADDRESS Addresses; } KERB_RETRIEVE_TKT_EX_REQUEST, *PKERB_RETRIEVE_TKT_EX_REQUEST; #endif // 0 typedef struct _KERB_RETRIEVE_TKT_RESPONSE { KERB_EXTERNAL_TICKET Ticket; } KERB_RETRIEVE_TKT_RESPONSE, *PKERB_RETRIEVE_TKT_RESPONSE; #if 0 typedef struct _KERB_RETRIEVE_TKT_EX_RESPONSE { KERB_EXTERNAL_TICKET_EX Ticket; } KERB_RETRIEVE_TKT_EX_RESPONSE, *PKERB_RETRIEVE_TKT_EX_RESPONSE; #endif // 0 // // Used to purge entries from the ticket cache // typedef struct _KERB_PURGE_TKT_CACHE_REQUEST { KERB_PROTOCOL_MESSAGE_TYPE MessageType; LUID LogonId; UNICODE_STRING ServerName; UNICODE_STRING RealmName; } KERB_PURGE_TKT_CACHE_REQUEST, *PKERB_PURGE_TKT_CACHE_REQUEST; // // Flags for purge requests // #define KERB_PURGE_ALL_TICKETS 1 typedef struct _KERB_PURGE_TKT_CACHE_EX_REQUEST { KERB_PROTOCOL_MESSAGE_TYPE MessageType; LUID LogonId; ULONG Flags; KERB_TICKET_CACHE_INFO_EX TicketTemplate; } KERB_PURGE_TKT_CACHE_EX_REQUEST, *PKERB_PURGE_TKT_CACHE_EX_REQUEST; // end_ntsecapi // // This must match NT_OWF_PASSWORD_LENGTH // typedef struct _KERB_CHANGE_MACH_PWD_REQUEST { KERB_PROTOCOL_MESSAGE_TYPE MessageType; UNICODE_STRING NewPassword; UNICODE_STRING OldPassword; } KERB_CHANGE_MACH_PWD_REQUEST, *PKERB_CHANGE_MACH_PWD_REQUEST; // // These messages are used by the kerberos package to verify that the PAC in a // ticket is valid. It is remoted from a workstation to a DC in the workstation's // domain. On failure there is no response message. On success there may be no // message or the same message may be used to send back a PAC updated with // local groups from the domain controller. The checksum is placed in the // final buffer first, followed by the signature. // #include typedef struct _KERB_VERIFY_PAC_REQUEST { KERB_PROTOCOL_MESSAGE_TYPE MessageType; ULONG ChecksumLength; ULONG SignatureType; ULONG SignatureLength; UCHAR ChecksumAndSignature[ANYSIZE_ARRAY]; } KERB_VERIFY_PAC_REQUEST, *PKERB_VERIFY_PAC_REQUEST; // // Message for update Kerberos's list of addresses. The address count should // be the number of addresses & the addresses should be an array of // SOCKET_ADDRESS structures. The message type should be KerbUpdateAddressesMessage // typedef struct _KERB_UPDATE_ADDRESSES_REQUEST { KERB_PROTOCOL_MESSAGE_TYPE MessageType; ULONG AddressCount; ULONG Addresses[ANYSIZE_ARRAY]; // array of SOCKET_ADDRESS structures } KERB_UPDATE_ADDRESSES_REQUEST, *PKERB_UPDATE_ADDRESSES_REQUEST; #include // begin_ntsecapi // // KerbChangePassword // // KerbChangePassword changes the password on the KDC account plus // the password cache and logon credentials if applicable. // // typedef struct _KERB_CHANGEPASSWORD_REQUEST { KERB_PROTOCOL_MESSAGE_TYPE MessageType; UNICODE_STRING DomainName; UNICODE_STRING AccountName; UNICODE_STRING OldPassword; UNICODE_STRING NewPassword; BOOLEAN Impersonating; } KERB_CHANGEPASSWORD_REQUEST, *PKERB_CHANGEPASSWORD_REQUEST; // // KerbSetPassword // // KerbSetPassword changes the password on the KDC account plus // the password cache and logon credentials if applicable. // // typedef struct _KERB_SETPASSWORD_REQUEST { KERB_PROTOCOL_MESSAGE_TYPE MessageType; LUID LogonId; SecHandle CredentialsHandle; ULONG Flags; UNICODE_STRING DomainName; UNICODE_STRING AccountName; UNICODE_STRING Password; } KERB_SETPASSWORD_REQUEST, *PKERB_SETPASSWORD_REQUEST; typedef struct _KERB_SETPASSWORD_EX_REQUEST { KERB_PROTOCOL_MESSAGE_TYPE MessageType; LUID LogonId; SecHandle CredentialsHandle; ULONG Flags; UNICODE_STRING AccountRealm; UNICODE_STRING AccountName; UNICODE_STRING Password; UNICODE_STRING ClientRealm; UNICODE_STRING ClientName; BOOLEAN Impersonating; UNICODE_STRING KdcAddress; ULONG KdcAddressType; } KERB_SETPASSWORD_EX_REQUEST, *PKERB_SETPASSWORD_EX_REQUEST; #define DS_UNKNOWN_ADDRESS_TYPE 0 // anything *but* IP #define KERB_SETPASS_USE_LOGONID 1 #define KERB_SETPASS_USE_CREDHANDLE 2 typedef struct _KERB_DECRYPT_REQUEST { KERB_PROTOCOL_MESSAGE_TYPE MessageType; LUID LogonId; ULONG Flags; LONG CryptoType; LONG KeyUsage; KERB_CRYPTO_KEY Key; // optional ULONG EncryptedDataSize; ULONG InitialVectorSize; PUCHAR InitialVector; PUCHAR EncryptedData; } KERB_DECRYPT_REQUEST, *PKERB_DECRYPT_REQUEST; // // If set, use the primary key from the current logon session of the one provided in the LogonId field. // Otherwise, use the Key in the KERB_DECRYPT_MESSAGE. #define KERB_DECRYPT_FLAG_DEFAULT_KEY 0x00000001 typedef struct _KERB_DECRYPT_RESPONSE { UCHAR DecryptedData[ANYSIZE_ARRAY]; } KERB_DECRYPT_RESPONSE, *PKERB_DECRYPT_RESPONSE; // // Request structure for adding a binding cache entry. TCB privilege // is required for this operation. // typedef struct _KERB_ADD_BINDING_CACHE_ENTRY_REQUEST { KERB_PROTOCOL_MESSAGE_TYPE MessageType; UNICODE_STRING RealmName; UNICODE_STRING KdcAddress; ULONG AddressType; //dsgetdc.h DS_NETBIOS_ADDRESS||DS_INET_ADDRESS } KERB_ADD_BINDING_CACHE_ENTRY_REQUEST, *PKERB_ADD_BINDING_CACHE_ENTRY_REQUEST; // end_ntsecapi typedef struct _KERB_VERIFY_CREDENTIALS_REQUEST { KERB_PROTOCOL_MESSAGE_TYPE MessageType; UNICODE_STRING UserName; UNICODE_STRING DomainName; UNICODE_STRING Password; ULONG VerifyFlags; } KERB_VERIFY_CREDENTIALS_REQUEST, *PKERB_VERIFY_CREDENTIALS_REQUEST; // // Location of Kerb authentication package data // #define KERB_SUBAUTHENTICATION_KEY "SYSTEM\\CurrentControlSet\\Control\\Lsa\\Kerberos" #define KERB_SUBAUTHENTICATION_VALUE "Auth" #define KERB_SUBAUTHENTICATION_MASK 0x7fffffff #define KERB_SUBAUTHENTICATION_FLAG 0x80000000 #endif // __KERBEROS_H__