2.8.4 Extended KDC Signature

The extended KDC signature<21> is generated by the issuing KDC and depends on the cryptographic algorithms available to the KDC. The ulType field of the PAC_INFO_BUFFER structure (section 2.4) corresponding to the extended KDC signature will contain the value 0x00000013. The SignatureType (section 2.8) MUST match the SignatureType in the KDC signature and the key used MUST be the same. The Key Usage Number MUST be KERB_NON_KERB_CKSUM_SALT [17] ([MS-KILE] section 3.1.5.9). The KDC will use KDC (krbtgt) key [RFC4120], so that other KDCs can verify this signature on receiving a PAC.

The extended KDC signature is used to detect tampering of PACs by parties other than the KDC. The extended KDC signature SHOULD be included in tickets that are not encrypted to the krbtgt account (including the change password service) or to a trust account.

The extended KDC signature is a keyed hash [RFC4757] of the entire PAC message, with the Signature fields of all other PAC_SIGNATURE_DATA structures (section 2.8) set to zero.

The resulting hash is placed in the Signature field of the extended KDC's PAC_SIGNATURE_DATA structure (section 2.8).

The extended KDC signature MUST be generated BEFORE the Server Signature (section 2.8.1) is generated. 

When a ticket is altered as during renewal ([RFC4120] section 2.3), the KDC SHOULD verify the integrity of the existing signatures and then recompute the ticket signature, server signature, KDC signature, and extended KDC signature in the PAC.