2.8.4 Server Signature

The server signature MUST be generated AFTER the extended KDC signature (section 2.8.3).

The server signature is generated by the issuing KDC and depends on the cryptographic algorithms available to the KDC and server. The ulType field of the PAC_INFO_BUFFER corresponding to the server signature will contain the value 0x00000006. The SignatureType MUST be one of the values defined in the table in section 2.8. The Key Usage Number MUST be KERB_NON_KERB_CKSUM_SALT [17]  [MS-KILE] (section 3.1.5.9). The KDC will use the long-term key that the KDC shares with the server, so that the server can verify this signature on receiving a PAC.

The server signature is a keyed hash [RFC4757] of the entire PAC message, with the Signature fields of both PAC_SIGNATURE_DATA structures set to zero. The key used to protect the ciphertext part of the response is used. The checksum type corresponds to the key unless the key is DES, in which case the KERB_CHECKSUM_HMAC_MD5 key is used. The resulting hash value is then placed in the Signature field of the server's PAC_SIGNATURE_DATA structure.