次の方法で共有


2.2.2.1 NETLOGON_TICKET_LOGON_INFO Message

The NETLOGON_TICKET_LOGON_INFO message is used by Kerberos to invoke the network ticket logon flow. In this flow, it calls Netlogon with the ticket which relays the ticket to the issuing domain in the same fashion as generic passthrough. The NETLOGON_VALIDATION_TICKET_LOGON message (section 2.2.3.1) then processes the validation. This message is defined with the following fields.


0


1


2


3


4


5


6


7


8


9

1
0


1


2


3


4


5


6


7


8


9

2
0


1


2


3


4


5


6


7


8


9

3
0


1

CriticalOptions

ComputerDomainOptions

TransitOptions

KerberosOptions

ServiceTicketLength

ServiceTicket (variable)

...

...

...

AdditionalTicketLength

AdditionalTicket (variable)

...

...

...

CriticalOptions (2 bytes): A USHORT that contains flags that must be understood to parse the rest of the request. The following flag is defined.

Value

Meaning

NoAuthorizationData

0x0000

Only check the ticket; don't return authorization data.

ComputerDomainOptions (2 bytes): A USHORT that contains operations performed by Netlogon in the computer's domain. The following operations are defined.

Value

Meaning

SkipResourceGroups

0x0010

Don't add resource groups from the computer's domain.

SkipA2AChecks

0x0011

Don't perform check A2A and A2ATo access checks.

TransitOptions (2 bytes): A USHORT that contains operations performed by Netlogon at every hop. The following operations are defined.

Value

Meaning

SkipSIDFilter

0x0020

Don't SIDs and transform claims.

SkipNamespaceFilter

0x0021

Don't filter the user domain against the trust's namespace.

KerberosOptions (2 bytes): A USHORT that contains operations performed by the KDC in the ticket's issuing realm. The following operations are defined.

Value

Meaning

SkipPacSignatures

0x0030

Don't verify signatures present in the PAC.

RemoveResourceGroups

0x0031

Strip resource groups from the service ticket.

ServiceTicketLength (4 bytes): A ULONG that contains the length of the preceding service ticket.

ServiceTicket (variable): A pointer to a UCHAR. The Kerberos service ticket that's the source of authorization information.

AdditionalTicketLength (4 bytes): A ULONG that contains the length of the preceding additional ticket.

AdditionalTicket (variable): A pointer to a UCHAR. If the service ticket is a User2User ticket then the TGT used as the source of the session key must also be provided.