2.2.2.1.6 UnpackKdcReplyBody
The UnpackKdcReplyBody structure is used to decrypt the encrypted part of a KRB_KDC_REP message ([RFC4120] section 5.4.2) from the KDC. The type of reply is indicated by the PDU, either encrypted AS_REP PDU or encrypted TGS_REP PDU. The KeyUsage field allows the caller to specify either the TGS or AS key derivation types.<3>
When populating this field of the KerbCredIsoRemoteInput structure, the CallId field MUST be set to RemoteCallKerbUnpackKdcReplyBody.
-
struct { KERB_ASN1_DATA* EncryptedData; KERB_RPC_ENCRYPTION_KEY* Key; KERB_RPC_ENCRYPTION_KEY* StrengthenKey; ULONG Pdu; ULONG KeyUsage; } UnpackKdcReplyBody;
EncryptedData: A pointer to a KERB_ASN1_DATA structure (section 2.2.1.2.1) that contains the DER-encoded, encrypted reply data to be decrypted.
Key: A pointer to a KERB_RPC_ENCRYPTION_KEY structure (section 2.2.1.2.8) that is the opaque structure associated with the decryption key that the CredSSP server uses. The exact format of this structure is CredSSP client dependent. The key comes from a previous UnpackKdcReplyBody output message (section 2.2.2.1.6) or the CredSSP client.
StrengthenKey: A pointer to a KERB_RPC_ENCRYPTION_KEY structure that contains the reply strengthening key, if any, supplied by the KDC for increasing the strength of encryption on the reply.
Pdu: A ULONG that contains the PDU used to decode the data. MUST be zero and SHOULD be ignored.<4>
KeyUsage: A ULONG that contains the key usage flags for decryption. MUST be one of the following values from [RFC4120] section 7.5.1:
-
Value
Meaning
3
KRB_AS_REP key usage number.
8
KRB_TS_REP key usage number.
When populating this field of the KerbCredIsoRemoteOutput structure, the CallId field MUST be set to RemoteCallKerbUnpackKdcReplyBody.
-
struct { LONG KerbProtocolError; KERB_ASN1_DATA ReplyBody; } UnpackKdcReplyBody;
KerbProtocolError: A LONG that contains any protocol-level errors that have occurred.
ReplyBody: A KERB_ASN1_DATA structure that contains the decrypted reply.