3.3.5.6.4.1 KERB_VALIDATION_INFO Structure

For KILE implementations that use an Active Directory for the account database, KDCs SHOULD retrieve the following attributes from local directory service instance with the same processing rules as defined in SamrQueryInformationUser2() ([MS-SAMR] section 3.1.5.5.5) message processing. The KDC populates the returned KERB_VALIDATION_INFO structure ([MS-PAC] section 2.5) fields as follows:

  • The LogonTime field SHOULD be set to the Buffer.SAMPR_USER_ALL_INFORMATION.LastLogon field ([MS-SAMR] section 2.2.7.1) of the SamrQueryInformationUser2 ([MS-SAMR] section 3.1.5.5.5) response message.

  • The LogoffTime field SHOULD be computed and set as follows:

    1. Convert the local machine time into an offset from the beginning of the week (as defined in [MS-SAMR] section 2.2.7.5). This conversion must use the same granularity as the UnitsPerWeek field of the Buffer.SAMPR_USER_ALL_INFORMATION.LogonHours of the SamrQueryInformationUser2 ([MS-SAMR] section 3.1.5.5.5) response message.

    2. Starting at the offset determined in step 1, examine the remaining entries in the Buffer.SAMPR_USER_ALL_INFORMATION.LogonHours. If the value at the initial offset is disabled for authentication, the KDC MUST return Kerb Error KDC_ERROR_CLIENT_REVOKED with status code STATUS_INVALID_LOGON_HOURS. If none of the remaining entries are disabled, use the time stamp value 0x7FFFFFFFFFFFFFFF. Otherwise, compute a time stamp by adding the offset of the next disabled authentication unit to the current time.

    3. Set the LogoffTime field to the lesser of the value determined in step 2 and the value of the Buffer.SAMPR_USER_ALL_INFORMATION.AccountExpires field of the SamrQueryInformationUser2 ([MS-SAMR] section 3.1.5.5.5) response message.

  • The KickOffTime field SHOULD be set to the LogoffTime + the Buffer.SAMPR_USER_ALL_INFORMATION.ForceLogoff field ([MS-SAMR] section 2.2.7.1) of the SamrQueryInformationUser2 ([MS-SAMR] section 3.1.5.5.5) response message.

  • The PasswordLastSet field SHOULD be set to the Buffer.SAMPR_USER_ALL_INFORMATION.PasswordLastSet field ([MS-SAMR] section 2.2.7.1) of the SamrQueryInformationUser2 ([MS-SAMR] section 3.1.5.5.5) response message.

  • The PasswordCanChange field SHOULD be set to the Buffer.SAMPR_USER_ALL_INFORMATION.PasswordCanChange field ([MS-SAMR] section 2.2.7.1) of the SamrQueryInformationUser2 ([MS-SAMR] section 3.1.5.5.5) response message.

  • The PasswordMustChange field SHOULD be set to the Buffer.SAMPR_USER_ALL_INFORMATION.PasswordMustChange field ([MS-SAMR] section 2.2.7.1) of the SamrQueryInformationUser2 ([MS-SAMR] section 3.1.5.5.5) response message.

  • The EffectiveName field SHOULD be set to the Buffer.SAMPR_USER_ALL_INFORMATION.UserName field ([MS-SAMR] section 2.2.7.1) of the SamrQueryInformationUser2 ([MS-SAMR] section 3.1.5.5.5) response message.

  • The FullName field SHOULD be set to the Buffer.SAMPR_USER_ALL_INFORMATION.FullName field ([MS-SAMR] section 2.2.7.1) of the SamrQueryInformationUser2 ([MS-SAMR] section 3.1.5.5.5) response message.

  • The LogonScript field SHOULD be set to the Buffer.SAMPR_USER_ALL_INFORMATION.ScriptPath field ([MS-SAMR] section 2.2.7.1) of the SamrQueryInformationUser2 ([MS-SAMR] section 3.1.5.5.5) response message.

  • The ProfilePath field SHOULD be set to the Buffer.SAMPR_USER_ALL_INFORMATION.ProfilePath field ([MS-SAMR] section 2.2.7.1) of the SamrQueryInformationUser2 ([MS-SAMR] section 3.1.5.5.5) response message.

  • The HomeDirectory field SHOULD be set to the Buffer.SAMPR_USER_ALL_INFORMATION.HomeDirectory field ([MS-SAMR] section 2.2.7.1) of the SamrQueryInformationUser2 ([MS-SAMR] section 3.1.5.5.5) response message.

  • The HomeDirectoryDrive field SHOULD be set to the Buffer.SAMPR_USER_ALL_INFORMATION.HomeDirectoryDrive ([MS-SAMR] section 2.2.7.1) of the SamrQueryInformationUser2 ([MS-SAMR] section 3.1.5.5.5) response message.

  • The LogonCount field SHOULD be set to the Buffer.SAMPR_USER_ALL_INFORMATION.LogonCount ([MS-SAMR] section 2.2.7.1) of the SamrQueryInformationUser2 ([MS-SAMR] section 3.1.5.5.5) response message.

  • The BadPasswordCount field SHOULD be set to the Buffer.SAMPR_USER_ALL_INFORMATION.BadPasswordCount field ([MS-SAMR] section 2.2.7.1) of the SamrQueryInformationUser2 ([MS-SAMR] section 3.1.5.5.5) response message.

  • The UserID field SHOULD be set to the Buffer.SAMPR_USER_ALL_INFORMATION.UserId field ([MS-SAMR] section 2.2.7.1) of the SamrQueryInformationUser2 ([MS-SAMR] section 3.1.5.5.5) response message.

  • The PrimaryGroupId field SHOULD be set to the Buffer.SAMPR_USER_ALL_INFORMATION.PrimaryGroupId field ([MS-SAMR] section 2.2.7.1) of the SamrQueryInformationUser2 ([MS-SAMR] section 3.1.5.5.5) response message.

  • The UserAccountControl field SHOULD be set to the Buffer.SAMPR_USER_ALL_INFORMATION.UserAccountControl field ([MS-SAMR] section 2.2.7.1) of the SamrQueryInformationUser2 ([MS-SAMR] section 3.1.5.5.5) response message.

For KILE implementations that use an Active Directory for the account database, KDCs MUST retrieve the following attributes from the local directory service instance using the processing rules defined in the GetUserLogonInfo() procedure ([MS-ADTS] section 3.1.1.13.3). The KDC populates the returned KERB_VALIDATION_INFO structure ([MS-PAC] section 2.5) as follows:

  • The GroupCount field SHOULD be set to the count of SIDs returned in the ExpandedSids parameter of the GetUserLogonInfo() procedure.

  • The GroupIds field SHOULD be set to the set of SIDs returned in the ExpandedSids parameter of the GetUserLogonInfo() procedure.

The KDC populates the returned KERB_VALIDATION_INFO structure ([MS-PAC] section 2.5) fields as follows:

  • The UserSessionKey field MUST be set to zero.

  • The LogonServer SHOULD be set to NetbiosServerName.

  • The LogonDomainName SHOULD be set to NetbiosDomainName.

  • The LogonDomainId SHOULD be set to DomainSid.

  • The Reserved1 field MUST be set to a two-element array of unsigned 32-bit integers and each element of the array MUST be zero.

  • The Reserved3 field MUST be set to a seven-element array of unsigned 32-bit integers and each element of the array MUST be zero.

  • The SidCount field SHOULD contain the number of SIDs in the ExtraSids field. The ExtraSids field SHOULD contain the AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY SID ([MS-DTYP] section 2.4.2.4), and the D bit SHOULD be set in the UserFlags field.<47>

  • The ResourceGroupDomainSid field MUST be set to NULL.

  • The ResourceGroupCount field SHOULD contain the number of SIDs in the ResourceGroupIds field.

  • The ResourceGroupIds field MUST be set to NULL.

Show: