2.8.2 Ticket Signature

The ticket signature<18> is calculated first and populated before any of the PAC signatures are calculated.

The ticket signature is generated by the issuing KDC and depends on the cryptographic algorithms available to the KDC. The ulType field of the PAC_INFO_BUFFER structure (section 2.4) corresponding to the ticket signature will contain the value 0x00000010. The SignatureType MUST match the SignatureType in the KDC signature and the key used MUST be the same. The Key Usage Number MUST be KERB_NON_KERB_CKSUM_SALT [17] ([MS-KILE] section 3.1.5.9). The KDC will use KDC (krbtgt) key [RFC4120], so that other KDCs can verify this signature on receiving a PAC.

The ticket signature is used to detect tampering of tickets by parties other than the KDC. The ticket signature SHOULD be included in tickets that are not encrypted to the krbtgt account (including the change password service) or to a trust account.

The ticket signature is a keyed hash [RFC4757] of the ticket being issued less the PAC itself. To compute the data to be checksummed, first the KDC must otherwise complete the TGT-REQ and construct the final service ticket.  The ad-data in the PAC’s AuthorizationData element ([RFC4120] section 5.2.6) is replaced with a single zero byte, and the EncTicketPart ([RFC4120] section 5.3) is encoded using the ASN.1 Distinguished Encoding Rules (DER). The resulting hash is placed in the Signature field of the KDC's PAC_SIGNATURE_DATA structure (section 2.8).

When a ticket is altered as during renewal ([RFC4120] section 2.3), the KDC SHOULD verify the integrity of the existing ticket signature and then recompute the ticket signature, extended KDC signature,  server signature, KDC signature, and in the PAC.