2.2.1.4.20 NETLOGON_VALIDATION_TICKET_LOGON

The NETLOGON_VALIDATION_TICKET_LOGON message is used after the NETLOGON_TICKET_LOGON_INFO message (section 2.2.1.4.19) at the destination domain. The issuing KDC opens the ticket, verifies all the signatures, and then extracts the authorization information from the PAC.

The encoded data SHOULD be sent using the network logon mechanism (section 3.2.4.2).

The message is defined as follows.

 typedef struct _NETLOGON_VALIDATION_TICKET_LOGON {
    ULONGLONG Results;
    NTSTATUS KerberosStatus;
    NTSTATUS NetlogonStatus;
    UNICODE_STRING SourceOfStatus;
    PNETLOGON_VALIDATION_SAM_INFO4 UserInformation;
    PNETLOGON_VALIDATION_SAM_INFO4 DeviceInformation;
    ULONG UserClaimsLength;
    [size_is(UserClaimsLength)] PUCHAR UserClaims;
    ULONG DeviceClaimsLength;
    [size_is(DeviceClaimsLength)] PUCHAR DeviceClaims;
 } NETLOGON_VALIDATION_TICKET_LOGON, * PNETLOGON_VALIDATION_TICKET_LOGON;

Results: An unsigned 64-bit integer that is treated as a six fields.

0	1	2	3	4	5	6	7	8	9	1 0	1	2	3	4	5	6	7	8	9	2 0	1	2	3	4	5	6	7	8	9	3 0	1
TransitInformation																SourceInformation
A								B								C								D

TransitInformation (2 bytes): A 16-bit unsigned integer that groups together flags providing information from Netlogon about operations performed while transiting back to the computer. The flags are as follows.

0	1	2	3	4	5	6	7	8	9	1 0	1	2	3	4	5
X	X	X	X	X	X	X	X	X	A	B	C	D	E	F	G

A - DeviceSidsFiltered (1 bit): When set, indicates SID filtering removed one or more SIDs from the device information.

B - UserSidsFiltered (1 bit): When set, indicates SID filtering removed one or more SIDs from the user information.

C - DeviceNamespaceFailed (1 bit): When set, indicates compound identity was removed because SID filtering did not allow the device domain name.

D - DeviceSidsFailed (1 bit): When set, indicates compound identity was removed because SID filtering did not allow the device identity.

E - UserFailedA2A (1 bit): Indicates, when set, that logon failed because the user is not allowed to authenticate to the computer.

F - UserNamespaceFailed (1 bit): When set, indicates logon failed because namespace filtering did not allow the user domain name.

G - UserSidsFailed (1 bit): When set, indicates logon failed because SID filtering did not allow the user identity.

SourceInformation (2 bytes): A 16-bit unsigned integer that groups together flags providing information about the ticket from the KDC that issued the service ticket.

0	1	2	3	4	5	6	7	8	9	1 0	1	2	3	4	5
X	X	X	X	X	X	X	X	X	A	B	C	D	E	F	G

A - ResourceGroupsRemoved (1 bit): Indicates, when set, that the KDC removed (by client request) resource groups from the source information.

B - FullSignaturePresent (1 bit): When set, indicates that the KDC checked the full ticket krbtgt signature.

C - SourceDeviceClaims (1 bit): When set, indicates that there were device claims in the source ticket.

D - SourceUserClaims (1 bit): If set, indicates there were user claims in the source ticket.

E - CompoundSource (1 bit): When set, indicates the source ticket contained device information.

F - PacValidationFailed (1 bit): When set, indicates the PAC signature did not validate causing the logon to fail.

G - TicketDecryptionFailed (1 bit): Indicates, when set, that ticket decryption failed and, therefore, the logon failed.

A – CriticalTransitResults (1 byte): Conditions that must be handled by Netlogon in every transited domain. Unused, MUST be set to 0.

B – CriticalComputerDomainResults (1 byte): Conditions that must be handled by Netlogon in the computer's domain. Unused, MUST be set to 0.

C – CriticalClientResults (1 byte): Conditions that the caller must understand before using the results. Unused, MUST be set to 0.

D – CriticalResults (1 byte): Conditions that all parties must understand to interpret the rest of the results. The only defined flag is LogonFailed, the least significant bit. When set, the login failed.

KerberosStatus: An NTSTATUS code that, if unsuccessful, an error encountered by the KDC during ticket validation.

NetlogonStatus: An NTSTATUS code that, if unsuccessful, is an NTSTATUS code that details an error encountered by Netlogon during transit back to the computer.

SourceOfStatus: A UNICODE_STRING containing (if populated) the name of the DC that set either the KerberosStatus or the NetlogonStatus codes.

UserInformation: A pointer to a NETLOGON_VALIDATION_SAM_INFO4 structure (see section 2.2.1.4.13) that contains the authenticated user information.

DeviceInformation: A pointer to a NETLOGON_VALIDATION_SAM_INFO4 structure (see section 2.2.1.4.13) that contains optional authenticated device information.

UserClaimsLength: A 32-bit unsigned integer that is the length of the user claims data, UserClaims.

UserClaims: A pointer to an unsigned character array that contains the user claims data.

DeviceClaimsLength: A 32-bit unsigned integer that is the length of the device claims data, DeviceClaims.

DeviceClaims: A pointer to an unsigned character array that contains the device claims data.