2.2.1 PA-FOR-USER

  • Article

In a KRB_TGS_REQ and KRB_TGS_REP subprotocol message sequence, as specified in [RFC4120] section 3.3, a Kerberos principal uses its ticket-granting ticket (TGT) to request a service ticket to a service. The TGS uses the requesting principal's identity from the TGT passed in the KRB_TGS_REQ message to create the service ticket.

In the S4U2self TGS exchange subprotocol extension, a service requests a service ticket to itself on behalf of a user. The user is identified to the KDC by the user name and user realm. Alternatively, the user might be identified using the user's certificate. The service uses its own TGT and adds a new type of padata. The padata type is specified in [RFC4120] section 5.2.7.

If the user, on whose behalf the service requests the service ticket, is identified using the user name and user realm, then the padata type PA-FOR-USER (ID 129) is used. This padata type contains a unique identifier that indicates the user's identity. This unique identifier consists of the user's name and user's realm. The PA-FOR-USER padata value is protected with the help of a keyed checksum, as defined below.

The following code defines the ASN.1 structure of the PA-FOR-USER padata type.

    PA-FOR-USER ::= SEQUENCE {
       -- PA TYPE 129
       userName              [0] PrincipalName,
       userRealm              [1] Realm,            
       cksum                 [2] Checksum,             
       auth-package          [3] KerberosString
    }

userName: The PrincipalName type discussed in detail in [RFC4120] section 5.2.2. It consists of a name type and name string. The default value for name type is NT-UNKNOWN as specified in [RFC4120] section 6.2. The name string is a sequence of strings encoded as KerberosString, as specified in [RFC4120] section 5.2.1, that (together with the userRealm) represents a user principal.

userRealm: A KerberosString that represents the realm in which the user account is located. This value is not case-sensitive.

cksum: A checksum of userName, userRealm, and auth-package. This is calculated using the KERB_CHECKSUM_HMAC_MD5 function ([RFC4757]). The value of the userName.name-type is first encoded as a 4-byte integer in little endian byte order, then these 4 bytes are concatenated with all string values in the sequence of strings contained in the userName.name-string field, then the string value of the userRealm field, and then the string value of auth-package field, in that order, to form a byte array which can be called S4UByteArray. Note that, in the computation of S4UByteArray, the null terminator is not included when concatenating the strings. Finally cksum is computed by calling the KERB_CHECKSUM_HMAC_MD5 hash with the following three parameters: the session key of the TGT of the service performing the S4U2self request, the message type value of 17, and the byte array S4UByteArray.

Note The term "message type" is used here as in [RFC4757]. This usage corresponds to the term, "Key Usage Number" used in [RFC4120].

auth-package: A string name of the authentication mechanism used to authenticate the user. This MUST be set to the string, "Kerberos". This value is not case-sensitive.