Share via

2.2.1.4.19 NETLOGON_TICKET_LOGON_INFO

  • Article

The NETLOGON_TICKET_LOGON_INFO message is used by Kerberos to invoke the network ticket logon flow. In this flow, it calls Netlogon with the ticket which relays the ticket to the issuing domain in the same fashion as generic passthrough. Afterwards, the NETLOGON_VALIDATION_TICKET_LOGON message (section 2.2.1.4.20) then processes the validation.

The NETLOGON_TICKET_LOGON_INFO MUST be encoded as a contiguous buffer. The encoded data SHOULD be sent by using the generic pass-through mechanism (section 3.2.4.1).

The NETLOGON_TICKET_LOGON_INFO message is defined as follows.

 typedef struct _NETLOGON_TICKET_LOGON_INFO {
     NETLOGON_LOGON_IDENTITY_INFO Identity; 
  
 #ifdef MIDL_PASS
     ULONGLONG RequestOptions; 
 #else
     union
     {
         union
         {
             ULONGLONG RequestOptions; 
             
             struct
             {
                 USHORT CriticalOptions; 
                 USHORT ComputerDomainOptions; 
                 USHORT TransitOptions; 
                 USHORT KerberosOptions; 
             } DUMMYSTRUCTNAME;
         } DUMMYUNIONNAME;
         
         struct
         {
             
             USHORT NoAuthorizationData : 1; 
             USHORT : 0; 
             
             USHORT SkipResourceGroups : 1; 
             USHORT SkipA2AChecks : 1; 
             USHORT : 0; 
             
             USHORT SkipSIDFilter : 1; 
             USHORT SkipNamespaceFilter : 1; 
             USHORT : 0; 
             
             USHORT SkipPacSignatures : 1; 
             USHORT RemoveResourceGroups: 1; 
            
          } DUMMYSTRUCTNAME;
     } DUMMYUNIONNAME;
 #endif
  
     ULONG ServiceTicketLength;
 #ifdef MIDL_PASS
     [size_is(ServiceTicketLength)]
 #endif 
     PUCHAR ServiceTicket;
  
     ULONG AdditionalTicketLength;
 #ifdef MIDL_PASS
     [size_is(AdditionalTicketLength)]
 #endif 
     PUCHAR AdditionalTicket;

 } NETLOGON_TICKET_LOGON_INFO, *PNETLOGON_TICKET_LOGON_INFO;

The NETLOGON_TICKET_LOGON_INFO structure consists of multiple nested unions which provide access to elements either individually or collectively as a single value. The following describes each field and its relationship to other fields. Because of the complex nesting of the unions, the list does not use indenting to show the relationships. Refer to the preceding typedef and the following descriptions for the relationships.

Identity: A NETLOGON_LOGON_IDENTITY_INFO structure (see section 2.2.1.4.15).

RequestOptions: An unsigned 64-bit integer that becomes an alias for the union that follows it.

RequestOptions: An unsigned 64-bit integer that becomes an alias for the struct that follows.

CriticalOptions: An unsigned 16-bit integer that groups together flags that must be understood to parse the rest of the request. The only defined flag is NoAuthorizationData.

ComputerDomainOptions: An unsigned 16-bit integer that groups together flags for operations performed by Netlogon in the computer's domain. The flags are SkipResourceGroups and SkipA2AChecks.

TransitOptions: An unsigned 16-bit integer that groups together flags for operations performed by Netlogon at every hop. The flags are SkipSIDFilter and SkipNamespeceFilter.

KerberosOptions: An unsigned 16-bit integer that groups together flags for operations performed by the KDC in the ticket's issuing realm. There are two flags: SkipPacSignatures and RemoveResourceGroups.

NoAuthorizationData: A one-bit field grouped under CriticalOptions. When set, indicates that the ticket is to be checked but that authorization information is not to be returned.

SkipResourceGroups: A one-bit field grouped under ComputerDomainOptions. When set, indicates that resource groups in the computer’s domain are not to be added.

SkipA2AChecks: A one-bit field grouped under ComputerDomainOptions. When set, indicates that A2A and A2ATo checks are not to be performed.

SkipSIDFilter:            A one-bit field grouped under TransitOptions. When set, no SID filtering is performed and no claims are transformed.

SkipNamespaceFilter: A one-bit field grouped under TransitOptions. When set, the user domain is not filtered against the trust domain namespace.

SkipPacSignatures: A one-bit field grouped under KerberosOptions. When set, does not verify signatures present in the PAC.

RemoveResourceGroups: A one-bit field grouped under KerberosOptions. When set, strips resource groups from the service ticket.

ServiceTicketLength:            An unsigned long that is the length of the service ticket.

ServiceTicket:            A pointer to an unsigned character array containing the service ticket.

AdditionalTicketLength: An unsigned long that is the length of the Kerberos service ticket that is the source of authorization.

AdditionalTicket: A pointer to a UCHAR containing the additional service ticket. If the service ticket is a User2User ticket then the ticket-granting ticket (TGT) used as the source of the session key must also be provided.