Allows the user to bind to a specific domain controller (DC), overriding the Kerberos domain binding cache. Kerberos enforces a DC lookup when Dynamic Access Control (DAC) is enabled, so typically authentication is not bound to a specific DC. Certain users may want to bind to the specific DC on which they created an account or set a new password to avoid the DC replication delay. You must have the SeTcbPrivilege privilege set.


  UNICODE_STRING             RealmName;
  UNICODE_STRING             KdcAddress;
  ULONG                      AddressType;
  ULONG                      DcFlags;



A value of the KERB_PROTOCOL_MESSAGE_TYPE enumeration that lists the types of messages that can be sent to the Kerberos authentication package by calling the LsaCallAuthenticationPackage function. This member must be set to KerbAddBindingCacheEntryExMessage.


The name of the realm of the domain controller.


The address of the Key Distribution Center (KDC) of the server to which you want to bind.


The type of string that is contained in the KdcAddress member. This can be one of the following values.


The address is a string IP address of the domain controller, for example, "\\").


The address is a NetBIOS name of the domain controller, for example, "\\phoenix".



The domain controller flags that the caller provides. These flags are needed to pass to the DsGetDcName function.


To meet both the user's requirements and Kerberos' requirements, you need to make two calls to override the Kerberos domain binding cache.

  1. First, you construct a request message type of KERB_QUERY_DOMAIN_EXTENDED_POLICIES_REQUEST in which the MessageType member must be set to KerbQueryDomainExtendedPoliciesMessage. The DomainName member is set to the actual domain name for which the extended domain policies are queried. If DomainName is set to null, the local computer's domain is assumed.

  2. Next, you call the LsaCallAuthenticationPackage function with Kerberos authentication package and the request message. Upon successful return, KERB_QUERY_DOMAIN_EXTENDED_POLICIES_RESPONSE is returned.

    • If the local computer has disabled DAC, the Flags member is set to KERB_QUERY_DOMAIN_EXTENDED_POLICIES_RESPONSE_FLAG_DAC_DISABLED.
    • If the specified domain has Flexible Authentication Secure Tunneling (FAST) enabled, ExtendedPolicies member is set to KERB_EXTENDED_POLICY_FAST_CAPABLE (0x10000).
    • If the specified domain has Claims enabled, ExtendedPolicies member is set to KERB_EXTENDED_POLICY_CLAIMS_CAPABLE (0x40000).
    • If the local computer domain doesn't disable DAC and the specified domain has either FAST or Claims enabled, the DsFlags member of the DsGetDcName function is set to DS_DIRECTORY_SERVICE_8_REQUIRED. Otherwise, DsFlags is 0.
    • If the function returns a failure in the ProtocolStatus member, STATUS_NOT_FOUND indicates that the specified domain cannot be queried because the local computer doesn't have trust to the specified domain. Other error codes indicate the actual failure encountered.
  3. Then you must call DsGetDcName with the returned DsFlags set with flags that represent your own requirements, which may be several, so use the logical operator OR. The DomainControllerInfo member is returned.

  4. Finally, you call the LsaCallAuthenticationPackage function again with the Kerberos authentication package and the request KERB_ADD_BINDING_CACHE_ENTRY_EX_REQUEST in which the DcFlags member is set to the DomainControllerInfo flags. All other members should be populated in the same way as KERB_ADD_BINDING_CACHE_ENTRY_EX_REQUEST. If the DsFlags of the KERB_QUERY_DOMAIN_EXTENDED_POLICIES_RESPONSE is zero, then either DcFlags should be set to zero when calling KERB_ADD_BINDING_CACHE_ENTRY_EX_REQUEST or default back to the existing KERB_ADD_BINDING_CACHE_ENTRY_REQUEST request.


Minimum supported client

Windows 8 [desktop apps only]

Minimum supported server

Windows Server 2012 [desktop apps only]



See also