482 lines
14 KiB
C
482 lines
14 KiB
C
//+-----------------------------------------------------------------------
|
|
//
|
|
// Copyright (c) 1990-1999 Microsoft Corporation
|
|
//
|
|
// File: KERBEROS.H
|
|
//
|
|
// Contents: Public Kerberos Security Package structures for use
|
|
// with APIs from SECURITY.H
|
|
//
|
|
//
|
|
// History: 26 Feb 92, RichardW Compiled from other files
|
|
//
|
|
//------------------------------------------------------------------------
|
|
|
|
#ifndef __KERBEROS_H__
|
|
#define __KERBEROS_H__
|
|
#if _MSC_VER > 1000
|
|
#pragma once
|
|
#endif
|
|
|
|
#include <ntmsv1_0.h>
|
|
#include <kerbcon.h>
|
|
|
|
// begin_ntsecapi
|
|
|
|
#ifndef MICROSOFT_KERBEROS_NAME_A
|
|
|
|
#define MICROSOFT_KERBEROS_NAME_A "Kerberos"
|
|
#define MICROSOFT_KERBEROS_NAME_W L"Kerberos"
|
|
#ifdef WIN32_CHICAGO
|
|
#define MICROSOFT_KERBEROS_NAME MICROSOFT_KERBEROS_NAME_A
|
|
#else
|
|
#define MICROSOFT_KERBEROS_NAME MICROSOFT_KERBEROS_NAME_W
|
|
#endif // WIN32_CHICAGO
|
|
#endif // MICROSOFT_KERBEROS_NAME_A
|
|
|
|
// end_ntsecapi
|
|
|
|
typedef struct _KERB_INIT_CONTEXT_DATA {
|
|
LARGE_INTEGER StartTime; // Start time
|
|
LARGE_INTEGER EndTime; // End time
|
|
LARGE_INTEGER RenewUntilTime; // Renew until time
|
|
ULONG TicketOptions; // From krb5.h
|
|
ULONG RequestOptions; // Options on what to return
|
|
} KERB_INIT_CONTEXT_DATA, *PKERB_INIT_CONTEXT_DATA;
|
|
|
|
#define KERB_INIT_RETURN_TICKET 0x1 // return raw ticket
|
|
#define KERB_INIT_RETURN_MIT_AP_REQ 0x2 // return MIT style AP request
|
|
|
|
// begin_ntsecapi
|
|
|
|
/////////////////////////////////////////////////////////////////////////
|
|
//
|
|
// Quality of protection parameters for MakeSignature / EncryptMessage
|
|
//
|
|
/////////////////////////////////////////////////////////////////////////
|
|
|
|
//
|
|
// This flag indicates to EncryptMessage that the message is not to actually
|
|
// be encrypted, but a header/trailer are to be produced.
|
|
//
|
|
|
|
#define KERB_WRAP_NO_ENCRYPT 0x80000001
|
|
|
|
/////////////////////////////////////////////////////////////////////////
|
|
//
|
|
// LsaLogonUser parameters
|
|
//
|
|
/////////////////////////////////////////////////////////////////////////
|
|
|
|
typedef enum _KERB_LOGON_SUBMIT_TYPE {
|
|
KerbInteractiveLogon = 2,
|
|
KerbSmartCardLogon = 6,
|
|
KerbWorkstationUnlockLogon = 7,
|
|
KerbSmartCardUnlockLogon = 8,
|
|
KerbProxyLogon = 9,
|
|
KerbTicketLogon = 10,
|
|
KerbTicketUnlockLogon = 11
|
|
} KERB_LOGON_SUBMIT_TYPE, *PKERB_LOGON_SUBMIT_TYPE;
|
|
|
|
|
|
typedef struct _KERB_INTERACTIVE_LOGON {
|
|
KERB_LOGON_SUBMIT_TYPE MessageType;
|
|
UNICODE_STRING LogonDomainName;
|
|
UNICODE_STRING UserName;
|
|
UNICODE_STRING Password;
|
|
} KERB_INTERACTIVE_LOGON, *PKERB_INTERACTIVE_LOGON;
|
|
|
|
|
|
typedef struct _KERB_INTERACTIVE_UNLOCK_LOGON {
|
|
KERB_INTERACTIVE_LOGON Logon;
|
|
LUID LogonId;
|
|
} KERB_INTERACTIVE_UNLOCK_LOGON, *PKERB_INTERACTIVE_UNLOCK_LOGON;
|
|
|
|
typedef struct _KERB_SMART_CARD_LOGON {
|
|
KERB_LOGON_SUBMIT_TYPE MessageType;
|
|
UNICODE_STRING Pin;
|
|
ULONG CspDataLength;
|
|
PUCHAR CspData;
|
|
} KERB_SMART_CARD_LOGON, *PKERB_SMART_CARD_LOGON;
|
|
|
|
typedef struct _KERB_SMART_CARD_UNLOCK_LOGON {
|
|
KERB_SMART_CARD_LOGON Logon;
|
|
LUID LogonId;
|
|
} KERB_SMART_CARD_UNLOCK_LOGON, *PKERB_SMART_CARD_UNLOCK_LOGON;
|
|
|
|
//
|
|
// Structure used for a ticket-only logon
|
|
//
|
|
|
|
typedef struct _KERB_TICKET_LOGON {
|
|
KERB_LOGON_SUBMIT_TYPE MessageType;
|
|
ULONG Flags;
|
|
ULONG ServiceTicketLength;
|
|
ULONG TicketGrantingTicketLength;
|
|
PUCHAR ServiceTicket; // REQUIRED: Service ticket "host"
|
|
PUCHAR TicketGrantingTicket; // OPTIONAL: User's encdoded in a KERB_CRED message, encrypted with session key from service ticket
|
|
} KERB_TICKET_LOGON, *PKERB_TICKET_LOGON;
|
|
|
|
//
|
|
// Flags for the ticket logon flags field
|
|
//
|
|
|
|
#define KERB_LOGON_FLAG_ALLOW_EXPIRED_TICKET 0x1
|
|
|
|
typedef struct _KERB_TICKET_UNLOCK_LOGON {
|
|
KERB_TICKET_LOGON Logon;
|
|
LUID LogonId;
|
|
} KERB_TICKET_UNLOCK_LOGON, *PKERB_TICKET_UNLOCK_LOGON;
|
|
|
|
//
|
|
// Use the same profile structure as MSV1_0
|
|
//
|
|
typedef enum _KERB_PROFILE_BUFFER_TYPE {
|
|
KerbInteractiveProfile = 2,
|
|
KerbSmartCardProfile = 4,
|
|
KerbTicketProfile = 6
|
|
} KERB_PROFILE_BUFFER_TYPE, *PKERB_PROFILE_BUFFER_TYPE;
|
|
|
|
|
|
typedef struct _KERB_INTERACTIVE_PROFILE {
|
|
KERB_PROFILE_BUFFER_TYPE MessageType;
|
|
USHORT LogonCount;
|
|
USHORT BadPasswordCount;
|
|
LARGE_INTEGER LogonTime;
|
|
LARGE_INTEGER LogoffTime;
|
|
LARGE_INTEGER KickOffTime;
|
|
LARGE_INTEGER PasswordLastSet;
|
|
LARGE_INTEGER PasswordCanChange;
|
|
LARGE_INTEGER PasswordMustChange;
|
|
UNICODE_STRING LogonScript;
|
|
UNICODE_STRING HomeDirectory;
|
|
UNICODE_STRING FullName;
|
|
UNICODE_STRING ProfilePath;
|
|
UNICODE_STRING HomeDirectoryDrive;
|
|
UNICODE_STRING LogonServer;
|
|
ULONG UserFlags;
|
|
} KERB_INTERACTIVE_PROFILE, *PKERB_INTERACTIVE_PROFILE;
|
|
|
|
|
|
//
|
|
// For smart card, we return a smart card profile, which is an interactive
|
|
// profile plus a certificate
|
|
//
|
|
|
|
typedef struct _KERB_SMART_CARD_PROFILE {
|
|
KERB_INTERACTIVE_PROFILE Profile;
|
|
ULONG CertificateSize;
|
|
PUCHAR CertificateData;
|
|
} KERB_SMART_CARD_PROFILE, *PKERB_SMART_CARD_PROFILE;
|
|
|
|
|
|
//
|
|
// For a ticket logon profile, we return the session key from the ticket
|
|
//
|
|
|
|
|
|
typedef struct KERB_CRYPTO_KEY {
|
|
LONG KeyType;
|
|
ULONG Length;
|
|
PUCHAR Value;
|
|
} KERB_CRYPTO_KEY, *PKERB_CRYPTO_KEY;
|
|
|
|
typedef struct _KERB_TICKET_PROFILE {
|
|
KERB_INTERACTIVE_PROFILE Profile;
|
|
KERB_CRYPTO_KEY SessionKey;
|
|
} KERB_TICKET_PROFILE, *PKERB_TICKET_PROFILE;
|
|
|
|
|
|
|
|
|
|
typedef enum _KERB_PROTOCOL_MESSAGE_TYPE {
|
|
KerbDebugRequestMessage = 0,
|
|
KerbQueryTicketCacheMessage,
|
|
KerbChangeMachinePasswordMessage,
|
|
KerbVerifyPacMessage,
|
|
KerbRetrieveTicketMessage,
|
|
KerbUpdateAddressesMessage,
|
|
KerbPurgeTicketCacheMessage,
|
|
KerbChangePasswordMessage,
|
|
KerbRetrieveEncodedTicketMessage,
|
|
KerbDecryptDataMessage,
|
|
KerbAddBindingCacheEntryMessage,
|
|
KerbSetPasswordMessage
|
|
} KERB_PROTOCOL_MESSAGE_TYPE, *PKERB_PROTOCOL_MESSAGE_TYPE;
|
|
|
|
// end_ntsecapi
|
|
|
|
//
|
|
// Structure for a debuggin requequest
|
|
//
|
|
|
|
#define KERB_DEBUG_REQ_BREAKPOINT 0x1
|
|
#define KERB_DEBUG_REQ_CALL_PACK 0x2
|
|
#define KERB_DEBUG_REQ_DATAGRAM 0x3
|
|
#define KERB_DEBUG_REQ_STATISTICS 0x4
|
|
#define KERB_DEBUG_CREATE_TOKEN 0x5
|
|
|
|
typedef struct _KERB_DEBUG_REQUEST {
|
|
KERB_PROTOCOL_MESSAGE_TYPE MessageType;
|
|
ULONG DebugRequest;
|
|
} KERB_DEBUG_REQUEST, *PKERB_DEBUG_REQUEST;
|
|
|
|
typedef struct _KERB_DEBUG_REPLY {
|
|
KERB_PROTOCOL_MESSAGE_TYPE MessageType;
|
|
UCHAR Data[ANYSIZE_ARRAY];
|
|
} KERB_DEBUG_REPLY, *PKERB_DEBUG_REPLY;
|
|
|
|
typedef struct _KERB_DEBUG_STATS {
|
|
ULONG CacheHits;
|
|
ULONG CacheMisses;
|
|
ULONG SkewedRequests;
|
|
ULONG SuccessRequests;
|
|
LARGE_INTEGER LastSync;
|
|
} KERB_DEBUG_STATS, *PKERB_DEBUG_STATS;
|
|
|
|
// begin_ntsecapi
|
|
|
|
//
|
|
// Used both for retrieving tickets and for querying ticket cache
|
|
//
|
|
|
|
typedef struct _KERB_QUERY_TKT_CACHE_REQUEST {
|
|
KERB_PROTOCOL_MESSAGE_TYPE MessageType;
|
|
LUID LogonId;
|
|
} KERB_QUERY_TKT_CACHE_REQUEST, *PKERB_QUERY_TKT_CACHE_REQUEST;
|
|
|
|
|
|
typedef struct _KERB_TICKET_CACHE_INFO {
|
|
UNICODE_STRING ServerName;
|
|
UNICODE_STRING RealmName;
|
|
LARGE_INTEGER StartTime;
|
|
LARGE_INTEGER EndTime;
|
|
LARGE_INTEGER RenewTime;
|
|
LONG EncryptionType;
|
|
ULONG TicketFlags;
|
|
} KERB_TICKET_CACHE_INFO, *PKERB_TICKET_CACHE_INFO;
|
|
|
|
|
|
typedef struct _KERB_QUERY_TKT_CACHE_RESPONSE {
|
|
KERB_PROTOCOL_MESSAGE_TYPE MessageType;
|
|
ULONG CountOfTickets;
|
|
KERB_TICKET_CACHE_INFO Tickets[ANYSIZE_ARRAY];
|
|
} KERB_QUERY_TKT_CACHE_RESPONSE, *PKERB_QUERY_TKT_CACHE_RESPONSE;
|
|
|
|
//
|
|
// Types for retrieving encoded ticket from the cache
|
|
//
|
|
|
|
#ifndef __SECHANDLE_DEFINED__
|
|
typedef struct _SecHandle
|
|
{
|
|
ULONG_PTR dwLower ;
|
|
ULONG_PTR dwUpper ;
|
|
} SecHandle, * PSecHandle ;
|
|
|
|
#define __SECHANDLE_DEFINED__
|
|
#endif // __SECHANDLE_DEFINED__
|
|
|
|
typedef struct _KERB_RETRIEVE_TKT_REQUEST {
|
|
KERB_PROTOCOL_MESSAGE_TYPE MessageType;
|
|
LUID LogonId;
|
|
UNICODE_STRING TargetName;
|
|
ULONG TicketFlags;
|
|
ULONG CacheOptions;
|
|
LONG EncryptionType;
|
|
SecHandle CredentialsHandle;
|
|
} KERB_RETRIEVE_TKT_REQUEST, *PKERB_RETRIEVE_TKT_REQUEST;
|
|
|
|
#define KERB_RETRIEVE_TICKET_DONT_USE_CACHE 0x1
|
|
#define KERB_RETRIEVE_TICKET_USE_CACHE_ONLY 0x2
|
|
#define KERB_RETRIEVE_TICKET_USE_CREDHANDLE 0x4
|
|
|
|
//
|
|
// Types for the information about a ticket
|
|
//
|
|
|
|
typedef struct _KERB_EXTERNAL_NAME {
|
|
SHORT NameType;
|
|
USHORT NameCount;
|
|
UNICODE_STRING Names[ANYSIZE_ARRAY];
|
|
} KERB_EXTERNAL_NAME, *PKERB_EXTERNAL_NAME;
|
|
|
|
|
|
|
|
typedef struct _KERB_EXTERNAL_TICKET {
|
|
PKERB_EXTERNAL_NAME ServiceName;
|
|
PKERB_EXTERNAL_NAME TargetName;
|
|
PKERB_EXTERNAL_NAME ClientName;
|
|
UNICODE_STRING DomainName;
|
|
UNICODE_STRING TargetDomainName;
|
|
UNICODE_STRING AltTargetDomainName;
|
|
KERB_CRYPTO_KEY SessionKey;
|
|
ULONG TicketFlags;
|
|
ULONG Flags;
|
|
LARGE_INTEGER KeyExpirationTime;
|
|
LARGE_INTEGER StartTime;
|
|
LARGE_INTEGER EndTime;
|
|
LARGE_INTEGER RenewUntil;
|
|
LARGE_INTEGER TimeSkew;
|
|
ULONG EncodedTicketSize;
|
|
PUCHAR EncodedTicket;
|
|
} KERB_EXTERNAL_TICKET, *PKERB_EXTERNAL_TICKET;
|
|
|
|
typedef struct _KERB_RETRIEVE_TKT_RESPONSE {
|
|
KERB_EXTERNAL_TICKET Ticket;
|
|
} KERB_RETRIEVE_TKT_RESPONSE, *PKERB_RETRIEVE_TKT_RESPONSE;
|
|
|
|
//
|
|
// Used to purge entries from the ticket cache
|
|
//
|
|
|
|
typedef struct _KERB_PURGE_TKT_CACHE_REQUEST {
|
|
KERB_PROTOCOL_MESSAGE_TYPE MessageType;
|
|
LUID LogonId;
|
|
UNICODE_STRING ServerName;
|
|
UNICODE_STRING RealmName;
|
|
} KERB_PURGE_TKT_CACHE_REQUEST, *PKERB_PURGE_TKT_CACHE_REQUEST;
|
|
|
|
|
|
// end_ntsecapi
|
|
|
|
//
|
|
// This must match NT_OWF_PASSWORD_LENGTH
|
|
//
|
|
|
|
|
|
typedef struct _KERB_CHANGE_MACH_PWD_REQUEST {
|
|
KERB_PROTOCOL_MESSAGE_TYPE MessageType;
|
|
UNICODE_STRING NewPassword;
|
|
UNICODE_STRING OldPassword;
|
|
} KERB_CHANGE_MACH_PWD_REQUEST, *PKERB_CHANGE_MACH_PWD_REQUEST;
|
|
|
|
//
|
|
// These messages are used by the kerberos package to verify that the PAC in a
|
|
// ticket is valid. It is remoted from a workstation to a DC in the workstation's
|
|
// domain. On failure there is no response message. On success there may be no
|
|
// message or the same message may be used to send back a PAC updated with
|
|
// local groups from the domain controller. The checksum is placed in the
|
|
// final buffer first, followed by the signature.
|
|
//
|
|
|
|
#include <pshpack1.h>
|
|
typedef struct _KERB_VERIFY_PAC_REQUEST {
|
|
KERB_PROTOCOL_MESSAGE_TYPE MessageType;
|
|
ULONG ChecksumLength;
|
|
ULONG SignatureType;
|
|
ULONG SignatureLength;
|
|
UCHAR ChecksumAndSignature[ANYSIZE_ARRAY];
|
|
} KERB_VERIFY_PAC_REQUEST, *PKERB_VERIFY_PAC_REQUEST;
|
|
|
|
|
|
//
|
|
// Message for update Kerberos's list of addresses. The address count should
|
|
// be the number of addresses & the addresses should be an array of
|
|
// SOCKET_ADDRESS structures. The message type should be KerbUpdateAddressesMessage
|
|
//
|
|
|
|
|
|
typedef struct _KERB_UPDATE_ADDRESSES_REQUEST {
|
|
KERB_PROTOCOL_MESSAGE_TYPE MessageType;
|
|
ULONG AddressCount;
|
|
ULONG Addresses[ANYSIZE_ARRAY]; // array of SOCKET_ADDRESS structures
|
|
} KERB_UPDATE_ADDRESSES_REQUEST, *PKERB_UPDATE_ADDRESSES_REQUEST;
|
|
#include <poppack.h>
|
|
|
|
// begin_ntsecapi
|
|
|
|
//
|
|
// KerbChangePassword
|
|
//
|
|
// KerbChangePassword changes the password on the KDC account plus
|
|
// the password cache and logon credentials if applicable.
|
|
//
|
|
//
|
|
|
|
typedef struct _KERB_CHANGEPASSWORD_REQUEST {
|
|
KERB_PROTOCOL_MESSAGE_TYPE MessageType;
|
|
UNICODE_STRING DomainName;
|
|
UNICODE_STRING AccountName;
|
|
UNICODE_STRING OldPassword;
|
|
UNICODE_STRING NewPassword;
|
|
BOOLEAN Impersonating;
|
|
} KERB_CHANGEPASSWORD_REQUEST, *PKERB_CHANGEPASSWORD_REQUEST;
|
|
|
|
//
|
|
// KerbSetPassword
|
|
//
|
|
// KerbSetPassword changes the password on the KDC account plus
|
|
// the password cache and logon credentials if applicable.
|
|
//
|
|
//
|
|
|
|
|
|
|
|
typedef struct _KERB_SETPASSWORD_REQUEST {
|
|
KERB_PROTOCOL_MESSAGE_TYPE MessageType;
|
|
LUID LogonId;
|
|
SecHandle CredentialsHandle;
|
|
ULONG Flags;
|
|
UNICODE_STRING DomainName;
|
|
UNICODE_STRING AccountName;
|
|
UNICODE_STRING Password;
|
|
} KERB_SETPASSWORD_REQUEST, *PKERB_SETPASSWORD_REQUEST;
|
|
|
|
#define KERB_SETPASS_USE_LOGONID 1
|
|
#define KERB_SETPASS_USE_CREDHANDLE 2
|
|
|
|
|
|
typedef struct _KERB_DECRYPT_REQUEST {
|
|
KERB_PROTOCOL_MESSAGE_TYPE MessageType;
|
|
LUID LogonId;
|
|
ULONG Flags;
|
|
LONG CryptoType;
|
|
LONG KeyUsage;
|
|
KERB_CRYPTO_KEY Key; // optional
|
|
ULONG EncryptedDataSize;
|
|
ULONG InitialVectorSize;
|
|
PUCHAR InitialVector;
|
|
PUCHAR EncryptedData;
|
|
} KERB_DECRYPT_REQUEST, *PKERB_DECRYPT_REQUEST;
|
|
|
|
//
|
|
// If set, use the primary key from the current logon session of the one provided in the LogonId field.
|
|
// Otherwise, use the Key in the KERB_DECRYPT_MESSAGE.
|
|
|
|
#define KERB_DECRYPT_FLAG_DEFAULT_KEY 0x00000001
|
|
|
|
|
|
typedef struct _KERB_DECRYPT_RESPONSE {
|
|
UCHAR DecryptedData[ANYSIZE_ARRAY];
|
|
} KERB_DECRYPT_RESPONSE, *PKERB_DECRYPT_RESPONSE;
|
|
|
|
|
|
//
|
|
// Request structure for adding a binding cache entry. TCB privilege
|
|
// is required for this operation.
|
|
//
|
|
|
|
typedef struct _KERB_ADD_BINDING_CACHE_ENTRY_REQUEST {
|
|
KERB_PROTOCOL_MESSAGE_TYPE MessageType;
|
|
UNICODE_STRING RealmName;
|
|
UNICODE_STRING KdcAddress;
|
|
ULONG AddressType; // from dsgetdc.h
|
|
} KERB_ADD_BINDING_CACHE_ENTRY_REQUEST, *PKERB_ADD_BINDING_CACHE_ENTRY_REQUEST;
|
|
|
|
// end_ntsecapi
|
|
|
|
//
|
|
// Location of Kerb authentication package data
|
|
//
|
|
|
|
#define KERB_SUBAUTHENTICATION_KEY "SYSTEM\\CurrentControlSet\\Control\\Lsa\\Kerberos"
|
|
#define KERB_SUBAUTHENTICATION_VALUE "Auth"
|
|
#define KERB_SUBAUTHENTICATION_MASK 0x7fffffff
|
|
#define KERB_SUBAUTHENTICATION_FLAG 0x80000000
|
|
|
|
|
|
#endif // __KERBEROS_H__
|
|
|
|
|