Compartilhar via


2.2.1.4.20 NETLOGON_VALIDATION_TICKET_LOGON

The NETLOGON_VALIDATION_TICKET_LOGON message is used after the NETLOGON_TICKET_LOGON_INFO message (section 2.2.1.4.19) at the destination domain. The issuing KDC opens the ticket, verifies all the signatures, and then extracts the authorization information from the PAC.

This message MUST be encoded as a contiguous buffer. The encoded data SHOULD be sent by using the generic pass-through mechanism (section 3.2.4.1).

The message is defined as follows.

 typedef struct _NETLOGON_VALIDATION_TICKET_LOGON {
 #ifdef MIDL_PASS
     ULONGLONG Results; 
 #else
     union
     {
         union
         {
             ULONGLONG Results; 
             
             struct
             {
                 UCHAR CriticalResults; 
                 UCHAR CriticalClientResults; 
                 UCHAR CriticalComputerDomainResults; 
                 UCHAR CriticalTransitResults; 
  
                 USHORT SourceInformation; 
                 USHORT TransitInformation; 
             } DUMMYSTRUCTNAME;
         } DUMMYUNIONNAME;
         
         struct
         {
  
             UCHAR LogonFailed : 1; 
             UCHAR : 0; 
  
             UCHAR : 1; 
             UCHAR : 0; 
             
             UCHAR : 1; 
             UCHAR : 0; 
  
             UCHAR : 1; 
             UCHAR : 0; 
  
  
  
             USHORT TicketDecryptionFailed : 1; 
             USHORT PacValidationFailed : 1; 
             
             USHORT CompoundSource : 1; 
             USHORT SourceUserClaims : 1; 
             USHORT SourceDeviceClaims : 1; 
             USHORT FullSignaturePresent : 1; 
             USHORT ResourceGroupsRemoved : 1; 
  
             USHORT : 0; 
  
  
             USHORT UserSidsFailed : 1; 
             USHORT UserNamespaceFailed : 1; 
             USHORT UserFailedA2A : 1; 
             
             USHORT DeviceSidsFailed : 1; 
             USHORT DeviceNamespaceFailed : 1; 
  
             USHORT UserSidsFiltered : 1; 
             USHORT DeviceSidsFiltered : 1; 
          } DUMMYSTRUCTNAME;
     } DUMMYUNIONNAME;
 #endif
  
     NTSTATUS KerberosStatus; 
     NTSTATUS NetlogonStatus; 
  
     UNICODE_STRING SourceOfStatus; 
  
     PNETLOGON_VALIDATION_SAM_INFO4 UserInformation;
     PNETLOGON_VALIDATION_SAM_INFO4 DeviceInformation;
  
     ULONG UserClaimsLength;
 #ifdef MIDL_PASS
     [size_is(UserClaimsLength)]
 #endif 
     PUCHAR UserClaims;
  
     ULONG DeviceClaimsLength;
 #ifdef MIDL_PASS
     [size_is(DeviceClaimsLength)]
 #endif 
     PUCHAR DeviceClaims;
 } NETLOGON_VALIDATION_TICKET_LOGON, *PNETLOGON_VALIDATION_TICKET_LOGON;
  

The NETLOGON_VALIDATION_TICKET_LOGON structure contains nested unions which provide access to elements either individually or collectively as a single value. The following describes each field and its relationship to other fields. Because of the nesting of the unions, the list does not use indenting to show the relationships. Refer to the preceding typedef code and the descriptions for the relationships.

Results: An unsigned 64-bit integer that becomes an alias for the union that follows it.

Results: An unsigned 64-bit integer that becomes an alias for the structure that follows.

CriticalResults: An unsigned 8-bit character that groups together conditions that all parties must understand to interpret the rest of the results. The only defined flag is LogonFailed.

CriticalClientResults: An unsigned 8-bit character. Conditions that the caller must understand before using the results. Unused, MUST be set to 0.

CriticalComputerDomainResults: An unsigned 8-bit character. Conditions that must be handled by Netlogon in the computer's domain. Unused, MUST be set to 0.

CriticalTransitResults: An unsigned 8-bit character. Conditions that must be handled by Netlogon in every transited domain. Unused, MUST be set to 0.

SourceInformation: A 16-bit unsigned integer that groups together flags providing information about the ticket from the KDC that issued the service ticket. The flags are TicketDecryptionFailed, PacValidationFailed, CompoundSource, SourceUserClaims, SourceDeviceClaims, FullSignaturePresent, and ResourceGroupsRemoved.

TransitInformation: A 16-bit unsigned integer that groups together flags providing information from Netlogon about operations performed while transiting back to the computer. The flags are UserSidsFailed, UserNamespaceFailed, UserFailedA2A , DeviceSidsFailed, DeviceNamespaceFailed, UserSidsFiltered, and DeviceSidsFiltered.

LogonFailed:   A one-bit field grouped under CriticalResults that indicates that the logon failed and that there are no authorization results.

TicketDecryptionFailed: A one-bit field grouped under SourceInformation that indicates the ticket decryption failed and, therefore, the logon failed.

PacValidationFailed: A one-bit field grouped under SourceInformation that indicates the PAC signature did not validate causing the logon to fail.

CompoundSource: A one-bit field grouped under SourceInformation that indicates the source ticket contained device information.

SourceUserClaims: A one-bit field grouped under SoruceInformation that indicates there were user claims in the source ticket.

SourceDeviceClaims: A one-bit field grouped under SoruceInformation that indicates there were device claims in the source ticket.

FullSignaturePresent: A one-bit field grouped under SoruceInformation that indicates that the KDC checked the full ticket krbtgt signature.

ResourceGroupsRemoved: A one-bit field grouped under SoruceInformation that indicates the KDC removed (by client request) resource groups from the source information.

UserSidsFailed: A one-bit field grouped under TransitInformation that indicates logon failed because SID filtering did not allow the user identity.

UserNamespaceFailed: A one-bit field grouped under TransitInformation that indicates logon failed because namespace filtering did not allow the user domain name.

UserFailedA2A: A one-bit field grouped under TransitInformation that indicates logon failed because the user is not allowed to authenticate to the computer.

DeviceSidsFailed: A one-bit field grouped under TransitInformation that indicates compound identity was removed because SID filtering did not allow the device identity.

DeviceNamespaceFailed: A one-bit field grouped under TransitInformation that indicates compound identity was removed because SID filtering did not allow the device domain name.

UserSidsFiltered: A one-bit field grouped under TransitInformation that indicates SID filtering removed one or more SIDs from the user information.

DeviceSidsFiltered: A one-bit field grouped under TransitInformation that indicates SID filtering removed one or more SIDs from the device information.

KerberosStatus: An NTSTATUS code that, if unsuccessful, an error encountered by the KDC during ticket validation.

NetlogonStatus: An NTSTATUS code that, if unsuccessful, is an NTSTATUS code that details an error encountered by Netlogon during transit back to the computer.

SourceOfStatus: A UNICODE_STRING containing (if populated) the name of the DC that set either the KerberosStatus or the NetlogonStatus codes.

UserInformation: A pointer to a NETLOGON_VALIDATION_SAM_INFO4 structure (see section 2.2.1.4.13) that contains the authenticated user information.

DeviceInformation: A pointer to a NETLOGON_VALIDATION_SAM_INFO4 structure (see section 2.2.1.4.13) that contains optional authenticated device information.

UserClaimsLength: A 32-bit unsigned integer that is the length of the user claims data, UserClaims.

UserClaims: A pointer to an unsigned character array that contains the user claims data.

DeviceClaimsLength: A 32-bit unsigned integer that is the length of the device claims data, DeviceClaims.

DeviceClaims: A pointer to an unsigned character array that contains the device claims data.