3.3.5.6.4.1 KERB_VALIDATION_INFO Structure

  • Article

For KILE implementations that use Active Directory for the account database, KDCs retrieve the following attributes from local directory service instance with the same processing rules as defined in SamrQueryInformationUser2 method ([MS-SAMR] section 3.1.5.5.5) message processing. The Buffer.SAMPR_USER_ALL_INFORMATION structure is defined in [MS-SAMR] section 2.2.6.6 where the common fields are defined in section 2.2.6.1. The KDC populates the returned KERB_VALIDATION_INFO structure ([MS-PAC] section 2.5) fields as follows: 

  • The LogonTime field is set to the Buffer.SAMPR_USER_ALL_INFORMATION.LastLogon field of the SamrQueryInformationUser2 response message.

  • The LogoffTime field is computed and set as follows:

    1. Convert the local machine time into an offset from the beginning of the week ([MS-SAMR] section 2.2.6.5). This conversion must use the same granularity as the UnitsPerWeek field of the Buffer.SAMPR_USER_ALL_INFORMATION.LogonHours of the SamrQueryInformationUser2 response message.

    2. Starting at the offset determined in step 1, examine the remaining entries in the Buffer.SAMPR_USER_ALL_INFORMATION.LogonHours. If the value at the initial offset is disabled for authentication, the KDC MUST return Kerb Error KDC_ERROR_CLIENT_REVOKED with status code STATUS_INVALID_LOGON_HOURS. If none of the remaining entries are disabled, use the time stamp value 0x7FFFFFFFFFFFFFFF. Otherwise, compute a time stamp by adding the offset of the next disabled authentication unit to the current time.

    3. Set the LogoffTime field to the lesser of the value determined in step 2 and the value of the Buffer.SAMPR_USER_ALL_INFORMATION.AccountExpires field of the SamrQueryInformationUser2 response message.

  • The KickOffTime field is set to the LogoffTime + the Buffer.SAMPR_USER_ALL_INFORMATION.ForceLogoff field of the SamrQueryInformationUser2 response message.

  • The PasswordLastSet field is set to the Buffer.SAMPR_USER_ALL_INFORMATION.PasswordLastSet field of the SamrQueryInformationUser2 response message.

  • The PasswordCanChange field is set to the Buffer.SAMPR_USER_ALL_INFORMATION.PasswordCanChange field of the SamrQueryInformationUser2 response message.

  • The PasswordMustChange field is set to the Buffer.SAMPR_USER_ALL_INFORMATION.PasswordMustChange field of the SamrQueryInformationUser2 response message.

  • The EffectiveName field is set to the Buffer.SAMPR_USER_ALL_INFORMATION.UserName field of the SamrQueryInformationUser2 response message.

  • The FullName field is set to the Buffer.SAMPR_USER_ALL_INFORMATION.FullName field of the SamrQueryInformationUser2 response message.

  • The LogonScript field is set to the Buffer.SAMPR_USER_ALL_INFORMATION.ScriptPath field of the SamrQueryInformationUser2 response message.

  • The ProfilePath field is set to the Buffer.SAMPR_USER_ALL_INFORMATION.ProfilePath field of the SamrQueryInformationUser2 response message.

  • The HomeDirectory field is set to the Buffer.SAMPR_USER_ALL_INFORMATION.HomeDirectory field of the SamrQueryInformationUser2 response message.

  • The HomeDirectoryDrive field is set to the Buffer.SAMPR_USER_ALL_INFORMATION.HomeDirectoryDrive field of the SamrQueryInformationUser2 response message.

  • The LogonCount field is set to the Buffer.SAMPR_USER_ALL_INFORMATION.LogonCount field of the SamrQueryInformationUser2 response message.

  • The BadPasswordCount field is set to the Buffer.SAMPR_USER_ALL_INFORMATION.BadPasswordCount field of the SamrQueryInformationUser2 response message.

  • The UserId field is set to the Buffer.SAMPR_USER_ALL_INFORMATION.UserId field of the SamrQueryInformationUser2 response message.

  • The PrimaryGroupId field is set to the Buffer.SAMPR_USER_ALL_INFORMATION.PrimaryGroupId field of the SamrQueryInformationUser2 response message.

  • The UserAccountControl field is set to the Buffer.SAMPR_USER_ALL_INFORMATION.UserAccountControl field of the SamrQueryInformationUser2 response message.

For KILE implementations that use Active Directory for the account database, KDCs MUST retrieve the following attributes from the local directory service instance using the processing rules defined in the GetUserLogonInfo procedure ([MS-ADTS] section 3.1.1.13.3). The KDC populates the returned KERB_VALIDATION_INFO structure as follows:

  • The GroupCount field is set to the count of SIDs returned in the ExpandedSids parameter of the GetUserLogonInfo procedure.

  • The GroupIds field is set to the set of SIDs returned in the ExpandedSids parameter of the GetUserLogonInfo procedure.

The KDC populates the returned KERB_VALIDATION_INFO structure  fields as follows:

  • The UserSessionKey field MUST be set to zero.

  • The LogonServer is set to NetbiosServerName.

  • The LogonDomainName is set to NetbiosDomainName.

  • The LogonDomainId is set to DomainSid.

  • The Reserved1 field MUST be set to a two-element array of unsigned 32-bit integers and each element of the array MUST be zero.

  • The Reserved3 field MUST be set to a seven-element array of unsigned 32-bit integers and each element of the array MUST be zero.

  • The SidCount field contains the number of SIDs in the ExtraSids field. The ExtraSids field SHOULD<55> contain the AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY SID ([MS-DTYP] section 2.4.2.4), and the D bit SHOULD be set in the UserFlags field.

  • The ResourceGroupDomainSid field MUST be set to NULL.

  • The ResourceGroupCount field contains the number of SIDs in the ResourceGroupIds field.

  • The ResourceGroupIds field MUST be set to NULL.