windows-nt/Source/XPSP1/NT/public/sdk/inc/kerberos.h

//+-----------------------------------------------------------------------
//
// Copyright (c) 1990-1999 Microsoft Corporation
//
// File:        KERBEROS.H
//
// Contents:    Public Kerberos Security Package structures for use
//              with APIs from SECURITY.H
//
//
// History:     26 Feb 92,  RichardW    Compiled from other files
//
//------------------------------------------------------------------------

#ifndef __KERBEROS_H__
#define __KERBEROS_H__
#if _MSC_VER > 1000
#pragma once
#endif

#include <ntmsv1_0.h>
#include <kerbcon.h>

// begin_ntsecapi

#ifndef MICROSOFT_KERBEROS_NAME_A

#define MICROSOFT_KERBEROS_NAME_A   "Kerberos"
#define MICROSOFT_KERBEROS_NAME_W   L"Kerberos"
#ifdef WIN32_CHICAGO
#define MICROSOFT_KERBEROS_NAME MICROSOFT_KERBEROS_NAME_A
#else
#define MICROSOFT_KERBEROS_NAME MICROSOFT_KERBEROS_NAME_W
#endif // WIN32_CHICAGO
#endif // MICROSOFT_KERBEROS_NAME_A

// end_ntsecapi

typedef struct _KERB_INIT_CONTEXT_DATA {
    LARGE_INTEGER StartTime;            // Start time
    LARGE_INTEGER EndTime;              // End time
    LARGE_INTEGER RenewUntilTime;       // Renew until time
    ULONG TicketOptions;            // From krb5.h
    ULONG RequestOptions;           // Options on what to return
} KERB_INIT_CONTEXT_DATA, *PKERB_INIT_CONTEXT_DATA;

#define KERB_INIT_RETURN_TICKET             0x1     // return raw ticket
#define KERB_INIT_RETURN_MIT_AP_REQ         0x2     // return MIT style AP request

// begin_ntsecapi

/////////////////////////////////////////////////////////////////////////
//
// Quality of protection parameters for MakeSignature / EncryptMessage
//
/////////////////////////////////////////////////////////////////////////

//
// This flag indicates to EncryptMessage that the message is not to actually
// be encrypted, but a header/trailer are to be produced.
//

#define KERB_WRAP_NO_ENCRYPT 0x80000001

/////////////////////////////////////////////////////////////////////////
//
// LsaLogonUser parameters
//
/////////////////////////////////////////////////////////////////////////

typedef enum _KERB_LOGON_SUBMIT_TYPE {
    KerbInteractiveLogon = 2,
    KerbSmartCardLogon = 6,
    KerbWorkstationUnlockLogon = 7,
    KerbSmartCardUnlockLogon = 8,
    KerbProxyLogon = 9,
    KerbTicketLogon = 10,
    KerbTicketUnlockLogon = 11,
    KerbS4ULogon = 12
} KERB_LOGON_SUBMIT_TYPE, *PKERB_LOGON_SUBMIT_TYPE;


typedef struct _KERB_INTERACTIVE_LOGON {
    KERB_LOGON_SUBMIT_TYPE MessageType;
    UNICODE_STRING LogonDomainName;
    UNICODE_STRING UserName;
    UNICODE_STRING Password;
} KERB_INTERACTIVE_LOGON, *PKERB_INTERACTIVE_LOGON;


typedef struct _KERB_INTERACTIVE_UNLOCK_LOGON {
    KERB_INTERACTIVE_LOGON Logon;
    LUID LogonId;
} KERB_INTERACTIVE_UNLOCK_LOGON, *PKERB_INTERACTIVE_UNLOCK_LOGON;

typedef struct _KERB_SMART_CARD_LOGON {
    KERB_LOGON_SUBMIT_TYPE MessageType;
    UNICODE_STRING Pin;
    ULONG CspDataLength;
    PUCHAR CspData;
} KERB_SMART_CARD_LOGON, *PKERB_SMART_CARD_LOGON;

typedef struct _KERB_SMART_CARD_UNLOCK_LOGON {
    KERB_SMART_CARD_LOGON Logon;
    LUID LogonId;
} KERB_SMART_CARD_UNLOCK_LOGON, *PKERB_SMART_CARD_UNLOCK_LOGON;

//
// Structure used for a ticket-only logon
//

typedef struct _KERB_TICKET_LOGON {
    KERB_LOGON_SUBMIT_TYPE MessageType;
    ULONG Flags;
    ULONG ServiceTicketLength;
    ULONG TicketGrantingTicketLength;
    PUCHAR ServiceTicket;               // REQUIRED: Service ticket "host"
    PUCHAR TicketGrantingTicket;        // OPTIONAL: User's encdoded in a KERB_CRED message, encrypted with session key from service ticket
} KERB_TICKET_LOGON, *PKERB_TICKET_LOGON;

//
// Flags for the ticket logon flags field
//

#define KERB_LOGON_FLAG_ALLOW_EXPIRED_TICKET 0x1

typedef struct _KERB_TICKET_UNLOCK_LOGON {
    KERB_TICKET_LOGON Logon;
    LUID LogonId;
} KERB_TICKET_UNLOCK_LOGON, *PKERB_TICKET_UNLOCK_LOGON;

//
//  Used for S4U Client requests
//
//
typedef struct _KERB_S4U_LOGON {
    KERB_LOGON_SUBMIT_TYPE MessageType;
    ULONG Flags;
    UNICODE_STRING ClientUpn;   // REQUIRED: UPN for client
    UNICODE_STRING ClientRealm; // Optional: Client Realm, if known
} KERB_S4U_LOGON, *PKERB_S4U_LOGON;

//
// TBD:  Flags for S4UToSelf() logon
//


//
// Use the same profile structure as MSV1_0
//
typedef enum _KERB_PROFILE_BUFFER_TYPE {
    KerbInteractiveProfile = 2,
    KerbSmartCardProfile = 4,
    KerbTicketProfile = 6
} KERB_PROFILE_BUFFER_TYPE, *PKERB_PROFILE_BUFFER_TYPE;


typedef struct _KERB_INTERACTIVE_PROFILE {
    KERB_PROFILE_BUFFER_TYPE MessageType;
    USHORT LogonCount;
    USHORT BadPasswordCount;
    LARGE_INTEGER LogonTime;
    LARGE_INTEGER LogoffTime;
    LARGE_INTEGER KickOffTime;
    LARGE_INTEGER PasswordLastSet;
    LARGE_INTEGER PasswordCanChange;
    LARGE_INTEGER PasswordMustChange;
    UNICODE_STRING LogonScript;
    UNICODE_STRING HomeDirectory;
    UNICODE_STRING FullName;
    UNICODE_STRING ProfilePath;
    UNICODE_STRING HomeDirectoryDrive;
    UNICODE_STRING LogonServer;
    ULONG UserFlags;
} KERB_INTERACTIVE_PROFILE, *PKERB_INTERACTIVE_PROFILE;


//
// For smart card, we return a smart card profile, which is an interactive
// profile plus a certificate
//

typedef struct _KERB_SMART_CARD_PROFILE {
    KERB_INTERACTIVE_PROFILE Profile;
    ULONG CertificateSize;
    PUCHAR CertificateData;
} KERB_SMART_CARD_PROFILE, *PKERB_SMART_CARD_PROFILE;


//
// For a ticket logon profile, we return the session key from the ticket
//


typedef struct KERB_CRYPTO_KEY {
    LONG KeyType;
    ULONG Length;
    PUCHAR Value;
} KERB_CRYPTO_KEY, *PKERB_CRYPTO_KEY;

typedef struct _KERB_TICKET_PROFILE {
    KERB_INTERACTIVE_PROFILE Profile;
    KERB_CRYPTO_KEY SessionKey;
} KERB_TICKET_PROFILE, *PKERB_TICKET_PROFILE;


typedef enum _KERB_PROTOCOL_MESSAGE_TYPE {
    KerbDebugRequestMessage = 0,
    KerbQueryTicketCacheMessage,
    KerbChangeMachinePasswordMessage,
    KerbVerifyPacMessage,
    KerbRetrieveTicketMessage,
    KerbUpdateAddressesMessage,
    KerbPurgeTicketCacheMessage,
    KerbChangePasswordMessage,
    KerbRetrieveEncodedTicketMessage,
    KerbDecryptDataMessage,
    KerbAddBindingCacheEntryMessage,
    KerbSetPasswordMessage,
    KerbSetPasswordExMessage,
    KerbVerifyCredentialsMessage,
    KerbQueryTicketCacheExMessage,
    KerbPurgeTicketCacheExMessage,
//  KerbRetrieveEncodedTicketExMessage,
} KERB_PROTOCOL_MESSAGE_TYPE, *PKERB_PROTOCOL_MESSAGE_TYPE;

// end_ntsecapi

//
// Structure for a debuggin requequest
//

#define KERB_DEBUG_REQ_BREAKPOINT       0x1
#define KERB_DEBUG_REQ_CALL_PACK        0x2
#define KERB_DEBUG_REQ_DATAGRAM         0x3
#define KERB_DEBUG_REQ_STATISTICS       0x4
#define KERB_DEBUG_CREATE_TOKEN         0x5

typedef struct _KERB_DEBUG_REQUEST {
    KERB_PROTOCOL_MESSAGE_TYPE MessageType;
    ULONG DebugRequest;
} KERB_DEBUG_REQUEST, *PKERB_DEBUG_REQUEST;

typedef struct _KERB_DEBUG_REPLY {
    KERB_PROTOCOL_MESSAGE_TYPE MessageType;
    UCHAR Data[ANYSIZE_ARRAY];
} KERB_DEBUG_REPLY, *PKERB_DEBUG_REPLY;

typedef struct _KERB_DEBUG_STATS {
    ULONG CacheHits;
    ULONG CacheMisses;
    ULONG SkewedRequests;
    ULONG SuccessRequests;
    LARGE_INTEGER LastSync;
} KERB_DEBUG_STATS, *PKERB_DEBUG_STATS;

// begin_ntsecapi

//
// Used both for retrieving tickets and for querying ticket cache
//

typedef struct _KERB_QUERY_TKT_CACHE_REQUEST {
    KERB_PROTOCOL_MESSAGE_TYPE MessageType;
    LUID LogonId;
} KERB_QUERY_TKT_CACHE_REQUEST, *PKERB_QUERY_TKT_CACHE_REQUEST;


typedef struct _KERB_TICKET_CACHE_INFO {
    UNICODE_STRING ServerName;
    UNICODE_STRING RealmName;
    LARGE_INTEGER StartTime;
    LARGE_INTEGER EndTime;
    LARGE_INTEGER RenewTime;
    LONG EncryptionType;
    ULONG TicketFlags;
} KERB_TICKET_CACHE_INFO, *PKERB_TICKET_CACHE_INFO;


typedef struct _KERB_TICKET_CACHE_INFO_EX {
    UNICODE_STRING ClientName;
    UNICODE_STRING ClientRealm;
    UNICODE_STRING ServerName;
    UNICODE_STRING ServerRealm;
    LARGE_INTEGER StartTime;
    LARGE_INTEGER EndTime;
    LARGE_INTEGER RenewTime;
    LONG EncryptionType;
    ULONG TicketFlags;
} KERB_TICKET_CACHE_INFO_EX, *PKERB_TICKET_CACHE_INFO_EX;


typedef struct _KERB_QUERY_TKT_CACHE_RESPONSE {
    KERB_PROTOCOL_MESSAGE_TYPE MessageType;
    ULONG CountOfTickets;
    KERB_TICKET_CACHE_INFO Tickets[ANYSIZE_ARRAY];
} KERB_QUERY_TKT_CACHE_RESPONSE, *PKERB_QUERY_TKT_CACHE_RESPONSE;


typedef struct _KERB_QUERY_TKT_CACHE_EX_RESPONSE {
    KERB_PROTOCOL_MESSAGE_TYPE MessageType;
    ULONG CountOfTickets;
    KERB_TICKET_CACHE_INFO_EX Tickets[ANYSIZE_ARRAY];
} KERB_QUERY_TKT_CACHE_EX_RESPONSE, *PKERB_QUERY_TKT_CACHE_EX_RESPONSE;


//
// Types for retrieving encoded ticket from the cache
//

#ifndef __SECHANDLE_DEFINED__
typedef struct _SecHandle
{
    ULONG_PTR dwLower ;
    ULONG_PTR dwUpper ;
} SecHandle, * PSecHandle ;

#define __SECHANDLE_DEFINED__
#endif // __SECHANDLE_DEFINED__

// Ticket Flags
#define KERB_USE_DEFAULT_TICKET_FLAGS       0x0

// CacheOptions
#define KERB_RETRIEVE_TICKET_DEFAULT        0x0
#define KERB_RETRIEVE_TICKET_DONT_USE_CACHE 0x1
#define KERB_RETRIEVE_TICKET_USE_CACHE_ONLY 0x2
#define KERB_RETRIEVE_TICKET_USE_CREDHANDLE 0x4
#define KERB_RETRIEVE_TICKET_AS_KERB_CRED   0x8
#define KERB_RETRIEVE_TICKET_WITH_SEC_CRED  0x10

// Encryption Type options
#define KERB_ETYPE_DEFAULT 0x0 // don't specify etype in tkt req.

typedef struct _KERB_AUTH_DATA {
    ULONG Type;
    ULONG Length;
    PUCHAR Data;
} KERB_AUTH_DATA, *PKERB_AUTH_DATA;


typedef struct _KERB_NET_ADDRESS {
    ULONG Family;
    ULONG Length;
    PCHAR Address;
} KERB_NET_ADDRESS, *PKERB_NET_ADDRESS;


typedef struct _KERB_NET_ADDRESSES {
    ULONG Number;
    KERB_NET_ADDRESS Addresses[ANYSIZE_ARRAY];
} KERB_NET_ADDRESSES, *PKERB_NET_ADDRESSES;

//
// Types for the information about a ticket
//

typedef struct _KERB_EXTERNAL_NAME {
    SHORT NameType;
    USHORT NameCount;
    UNICODE_STRING Names[ANYSIZE_ARRAY];
} KERB_EXTERNAL_NAME, *PKERB_EXTERNAL_NAME;


typedef struct _KERB_EXTERNAL_TICKET {
    PKERB_EXTERNAL_NAME ServiceName;
    PKERB_EXTERNAL_NAME TargetName;
    PKERB_EXTERNAL_NAME ClientName;
    UNICODE_STRING DomainName;
    UNICODE_STRING TargetDomainName;
    UNICODE_STRING AltTargetDomainName;
    KERB_CRYPTO_KEY SessionKey;
    ULONG TicketFlags;
    ULONG Flags;
    LARGE_INTEGER KeyExpirationTime;
    LARGE_INTEGER StartTime;
    LARGE_INTEGER EndTime;
    LARGE_INTEGER RenewUntil;
    LARGE_INTEGER TimeSkew;
    ULONG EncodedTicketSize;
    PUCHAR EncodedTicket;
} KERB_EXTERNAL_TICKET, *PKERB_EXTERNAL_TICKET;

#if 0

typedef struct _KERB_EXTERNAL_TICKET_EX {
    PKERB_EXTERNAL_NAME ClientName;
    PKERB_EXTERNAL_NAME ServiceName;
    PKERB_EXTERNAL_NAME TargetName;
    UNICODE_STRING ClientRealm;
    UNICODE_STRING ServerRealm;
    UNICODE_STRING TargetDomainName;
    UNICODE_STRING AltTargetDomainName;
    KERB_CRYPTO_KEY SessionKey;
    ULONG TicketFlags;
    ULONG Flags;
    LARGE_INTEGER KeyExpirationTime;
    LARGE_INTEGER StartTime;
    LARGE_INTEGER EndTime;
    LARGE_INTEGER RenewUntil;
    LARGE_INTEGER TimeSkew;
    PKERB_NET_ADDRESSES TicketAddresses;
    PKERB_AUTH_DATA AuthorizationData;
    _KERB_EXTERNAL_TICKET_EX * SecondTicket;
    ULONG EncodedTicketSize;
    PUCHAR EncodedTicket;
} KERB_EXTERNAL_TICKET_EX, *PKERB_EXTERNAL_TICKET_EX;

#endif // 0

typedef struct _KERB_RETRIEVE_TKT_REQUEST {
    KERB_PROTOCOL_MESSAGE_TYPE MessageType;
    LUID LogonId;
    UNICODE_STRING TargetName;
    ULONG TicketFlags;
    ULONG CacheOptions;
    LONG EncryptionType;
    SecHandle CredentialsHandle;
} KERB_RETRIEVE_TKT_REQUEST, *PKERB_RETRIEVE_TKT_REQUEST;

#if 0

typedef struct _KERB_RETRIEVE_TKT_EX_REQUEST {
    KERB_PROTOCOL_MESSAGE_TYPE MessageType;
    LUID LogonId;
    KERB_TICKET_CACHE_INFO_EX TicketTemplate;
    ULONG CacheOptions;
    SecHandle CredentialsHandle;
    PKERB_EXTERNAL_TICKET_EX SecondTicket;
    PKERB_AUTH_DATA UserAuthData;
    PKERB_NET_ADDRESS Addresses;
} KERB_RETRIEVE_TKT_EX_REQUEST, *PKERB_RETRIEVE_TKT_EX_REQUEST;

#endif // 0

typedef struct _KERB_RETRIEVE_TKT_RESPONSE {
    KERB_EXTERNAL_TICKET Ticket;
} KERB_RETRIEVE_TKT_RESPONSE, *PKERB_RETRIEVE_TKT_RESPONSE;

#if 0

typedef struct _KERB_RETRIEVE_TKT_EX_RESPONSE {
    KERB_EXTERNAL_TICKET_EX Ticket;
} KERB_RETRIEVE_TKT_EX_RESPONSE, *PKERB_RETRIEVE_TKT_EX_RESPONSE;

#endif // 0

//
// Used to purge entries from the ticket cache
//

typedef struct _KERB_PURGE_TKT_CACHE_REQUEST {
    KERB_PROTOCOL_MESSAGE_TYPE MessageType;
    LUID LogonId;
    UNICODE_STRING ServerName;
    UNICODE_STRING RealmName;
} KERB_PURGE_TKT_CACHE_REQUEST, *PKERB_PURGE_TKT_CACHE_REQUEST;

//
// Flags for purge requests
//

#define KERB_PURGE_ALL_TICKETS 1

typedef struct _KERB_PURGE_TKT_CACHE_EX_REQUEST {
    KERB_PROTOCOL_MESSAGE_TYPE MessageType;
    LUID LogonId;
    ULONG Flags;
    KERB_TICKET_CACHE_INFO_EX TicketTemplate;
} KERB_PURGE_TKT_CACHE_EX_REQUEST, *PKERB_PURGE_TKT_CACHE_EX_REQUEST;


// end_ntsecapi

//
// This must match NT_OWF_PASSWORD_LENGTH
//


typedef struct _KERB_CHANGE_MACH_PWD_REQUEST {
    KERB_PROTOCOL_MESSAGE_TYPE MessageType;
    UNICODE_STRING NewPassword;
    UNICODE_STRING OldPassword;
} KERB_CHANGE_MACH_PWD_REQUEST, *PKERB_CHANGE_MACH_PWD_REQUEST;

//
// These messages are used by the kerberos package to verify that the PAC in a
// ticket is valid. It is remoted from a workstation to a DC in the workstation's
// domain. On failure there is no response message. On success there may be no
// message or the same message may be used to send back a PAC updated with
// local groups from the domain controller. The checksum is placed in the
// final buffer first, followed by the signature.
//

#include <pshpack1.h>
typedef struct _KERB_VERIFY_PAC_REQUEST {
    KERB_PROTOCOL_MESSAGE_TYPE MessageType;
    ULONG ChecksumLength;
    ULONG SignatureType;
    ULONG SignatureLength;
    UCHAR ChecksumAndSignature[ANYSIZE_ARRAY];
} KERB_VERIFY_PAC_REQUEST, *PKERB_VERIFY_PAC_REQUEST;


//
// Message for update Kerberos's list of addresses. The address count should
// be the number of addresses & the addresses should be an array of
// SOCKET_ADDRESS structures. The message type should be KerbUpdateAddressesMessage
//


typedef struct _KERB_UPDATE_ADDRESSES_REQUEST {
    KERB_PROTOCOL_MESSAGE_TYPE MessageType;
    ULONG AddressCount;
    ULONG Addresses[ANYSIZE_ARRAY];      // array of SOCKET_ADDRESS structures
} KERB_UPDATE_ADDRESSES_REQUEST, *PKERB_UPDATE_ADDRESSES_REQUEST;
#include <poppack.h>

// begin_ntsecapi

//
// KerbChangePassword
//
// KerbChangePassword changes the password on the KDC account plus
//  the password cache and logon credentials if applicable.
//
//

typedef struct _KERB_CHANGEPASSWORD_REQUEST {
    KERB_PROTOCOL_MESSAGE_TYPE MessageType;
    UNICODE_STRING DomainName;
    UNICODE_STRING AccountName;
    UNICODE_STRING OldPassword;
    UNICODE_STRING NewPassword;
    BOOLEAN        Impersonating;
} KERB_CHANGEPASSWORD_REQUEST, *PKERB_CHANGEPASSWORD_REQUEST;


//
// KerbSetPassword
//
// KerbSetPassword changes the password on the KDC account plus
//  the password cache and logon credentials if applicable.
//
//
   
typedef struct _KERB_SETPASSWORD_REQUEST {
    KERB_PROTOCOL_MESSAGE_TYPE MessageType;
    LUID LogonId;
    SecHandle CredentialsHandle;
    ULONG Flags;
    UNICODE_STRING DomainName;
    UNICODE_STRING AccountName;
    UNICODE_STRING Password;
} KERB_SETPASSWORD_REQUEST, *PKERB_SETPASSWORD_REQUEST;


typedef struct _KERB_SETPASSWORD_EX_REQUEST {
    KERB_PROTOCOL_MESSAGE_TYPE MessageType;
    LUID LogonId;
    SecHandle CredentialsHandle;
    ULONG Flags;
    UNICODE_STRING AccountRealm;
    UNICODE_STRING AccountName;
    UNICODE_STRING Password;
    UNICODE_STRING ClientRealm;
    UNICODE_STRING ClientName;
    BOOLEAN        Impersonating;
    UNICODE_STRING KdcAddress;
    ULONG          KdcAddressType;
 } KERB_SETPASSWORD_EX_REQUEST, *PKERB_SETPASSWORD_EX_REQUEST;

                                                                   
#define DS_UNKNOWN_ADDRESS_TYPE         0 // anything *but* IP
#define KERB_SETPASS_USE_LOGONID        1
#define KERB_SETPASS_USE_CREDHANDLE     2


typedef struct _KERB_DECRYPT_REQUEST {
    KERB_PROTOCOL_MESSAGE_TYPE MessageType;
    LUID LogonId;
    ULONG Flags;
    LONG CryptoType;
    LONG KeyUsage;
    KERB_CRYPTO_KEY Key;        // optional
    ULONG EncryptedDataSize;
    ULONG InitialVectorSize;
    PUCHAR InitialVector;
    PUCHAR EncryptedData;
} KERB_DECRYPT_REQUEST, *PKERB_DECRYPT_REQUEST;

//
// If set, use the primary key from the current logon session of the one provided in the LogonId field.
// Otherwise, use the Key in the KERB_DECRYPT_MESSAGE.

#define KERB_DECRYPT_FLAG_DEFAULT_KEY   0x00000001


typedef struct _KERB_DECRYPT_RESPONSE  {
        UCHAR DecryptedData[ANYSIZE_ARRAY];
} KERB_DECRYPT_RESPONSE, *PKERB_DECRYPT_RESPONSE;


//
// Request structure for adding a binding cache entry. TCB privilege
// is required for this operation.
//

typedef struct _KERB_ADD_BINDING_CACHE_ENTRY_REQUEST {
    KERB_PROTOCOL_MESSAGE_TYPE MessageType;
    UNICODE_STRING RealmName;
    UNICODE_STRING KdcAddress;
    ULONG AddressType;                  //dsgetdc.h DS_NETBIOS_ADDRESS||DS_INET_ADDRESS
} KERB_ADD_BINDING_CACHE_ENTRY_REQUEST, *PKERB_ADD_BINDING_CACHE_ENTRY_REQUEST;

                       
// end_ntsecapi

typedef struct _KERB_VERIFY_CREDENTIALS_REQUEST {
    KERB_PROTOCOL_MESSAGE_TYPE MessageType;
    UNICODE_STRING UserName;
    UNICODE_STRING DomainName;
    UNICODE_STRING Password;
    ULONG VerifyFlags;
} KERB_VERIFY_CREDENTIALS_REQUEST, *PKERB_VERIFY_CREDENTIALS_REQUEST;


//
// Location of Kerb authentication package data
//

#define KERB_SUBAUTHENTICATION_KEY "SYSTEM\\CurrentControlSet\\Control\\Lsa\\Kerberos"
#define KERB_SUBAUTHENTICATION_VALUE "Auth"
#define KERB_SUBAUTHENTICATION_MASK 0x7fffffff
#define KERB_SUBAUTHENTICATION_FLAG 0x80000000


#endif  // __KERBEROS_H__
Add source files 2020-09-26 03:20:57 -05:00			`//+-----------------------------------------------------------------------`
			`//`
			`// Copyright (c) 1990-1999 Microsoft Corporation`
			`//`
			`// File: KERBEROS.H`
			`//`
			`// Contents: Public Kerberos Security Package structures for use`
			`// with APIs from SECURITY.H`
			`//`
			`//`
			`// History: 26 Feb 92, RichardW Compiled from other files`
			`//`
			`//------------------------------------------------------------------------`

			`#ifndef __KERBEROS_H__`
			`#define __KERBEROS_H__`
			`#if _MSC_VER > 1000`
			`#pragma once`
			`#endif`

			`#include <ntmsv1_0.h>`
			`#include <kerbcon.h>`

			`// begin_ntsecapi`

			`#ifndef MICROSOFT_KERBEROS_NAME_A`

			`#define MICROSOFT_KERBEROS_NAME_A "Kerberos"`
			`#define MICROSOFT_KERBEROS_NAME_W L"Kerberos"`
			`#ifdef WIN32_CHICAGO`
			`#define MICROSOFT_KERBEROS_NAME MICROSOFT_KERBEROS_NAME_A`
			`#else`
			`#define MICROSOFT_KERBEROS_NAME MICROSOFT_KERBEROS_NAME_W`
			`#endif // WIN32_CHICAGO`
			`#endif // MICROSOFT_KERBEROS_NAME_A`

			`// end_ntsecapi`

			`typedef struct _KERB_INIT_CONTEXT_DATA {`
			`LARGE_INTEGER StartTime; // Start time`
			`LARGE_INTEGER EndTime; // End time`
			`LARGE_INTEGER RenewUntilTime; // Renew until time`
			`ULONG TicketOptions; // From krb5.h`
			`ULONG RequestOptions; // Options on what to return`
			`} KERB_INIT_CONTEXT_DATA, *PKERB_INIT_CONTEXT_DATA;`

			`#define KERB_INIT_RETURN_TICKET 0x1 // return raw ticket`
			`#define KERB_INIT_RETURN_MIT_AP_REQ 0x2 // return MIT style AP request`

			`// begin_ntsecapi`

			`/////////////////////////////////////////////////////////////////////////`
			`//`
			`// Quality of protection parameters for MakeSignature / EncryptMessage`
			`//`
			`/////////////////////////////////////////////////////////////////////////`

			`//`
			`// This flag indicates to EncryptMessage that the message is not to actually`
			`// be encrypted, but a header/trailer are to be produced.`
			`//`

			`#define KERB_WRAP_NO_ENCRYPT 0x80000001`

			`/////////////////////////////////////////////////////////////////////////`
			`//`
			`// LsaLogonUser parameters`
			`//`
			`/////////////////////////////////////////////////////////////////////////`

			`typedef enum _KERB_LOGON_SUBMIT_TYPE {`
			`KerbInteractiveLogon = 2,`
			`KerbSmartCardLogon = 6,`
			`KerbWorkstationUnlockLogon = 7,`
			`KerbSmartCardUnlockLogon = 8,`
			`KerbProxyLogon = 9,`
			`KerbTicketLogon = 10,`
			`KerbTicketUnlockLogon = 11,`
			`KerbS4ULogon = 12`
			`} KERB_LOGON_SUBMIT_TYPE, *PKERB_LOGON_SUBMIT_TYPE;`


			`typedef struct _KERB_INTERACTIVE_LOGON {`
			`KERB_LOGON_SUBMIT_TYPE MessageType;`
			`UNICODE_STRING LogonDomainName;`
			`UNICODE_STRING UserName;`
			`UNICODE_STRING Password;`
			`} KERB_INTERACTIVE_LOGON, *PKERB_INTERACTIVE_LOGON;`


			`typedef struct _KERB_INTERACTIVE_UNLOCK_LOGON {`
			`KERB_INTERACTIVE_LOGON Logon;`
			`LUID LogonId;`
			`} KERB_INTERACTIVE_UNLOCK_LOGON, *PKERB_INTERACTIVE_UNLOCK_LOGON;`

			`typedef struct _KERB_SMART_CARD_LOGON {`
			`KERB_LOGON_SUBMIT_TYPE MessageType;`
			`UNICODE_STRING Pin;`
			`ULONG CspDataLength;`
			`PUCHAR CspData;`
			`} KERB_SMART_CARD_LOGON, *PKERB_SMART_CARD_LOGON;`

			`typedef struct _KERB_SMART_CARD_UNLOCK_LOGON {`
			`KERB_SMART_CARD_LOGON Logon;`
			`LUID LogonId;`
			`} KERB_SMART_CARD_UNLOCK_LOGON, *PKERB_SMART_CARD_UNLOCK_LOGON;`

			`//`
			`// Structure used for a ticket-only logon`
			`//`

			`typedef struct _KERB_TICKET_LOGON {`
			`KERB_LOGON_SUBMIT_TYPE MessageType;`
			`ULONG Flags;`
			`ULONG ServiceTicketLength;`
			`ULONG TicketGrantingTicketLength;`
			`PUCHAR ServiceTicket; // REQUIRED: Service ticket "host"`
			`PUCHAR TicketGrantingTicket; // OPTIONAL: User's encdoded in a KERB_CRED message, encrypted with session key from service ticket`
			`} KERB_TICKET_LOGON, *PKERB_TICKET_LOGON;`

			`//`
			`// Flags for the ticket logon flags field`
			`//`

			`#define KERB_LOGON_FLAG_ALLOW_EXPIRED_TICKET 0x1`

			`typedef struct _KERB_TICKET_UNLOCK_LOGON {`
			`KERB_TICKET_LOGON Logon;`
			`LUID LogonId;`
			`} KERB_TICKET_UNLOCK_LOGON, *PKERB_TICKET_UNLOCK_LOGON;`

			`//`
			`// Used for S4U Client requests`
			`//`
			`//`
			`typedef struct _KERB_S4U_LOGON {`
			`KERB_LOGON_SUBMIT_TYPE MessageType;`
			`ULONG Flags;`
			`UNICODE_STRING ClientUpn; // REQUIRED: UPN for client`
			`UNICODE_STRING ClientRealm; // Optional: Client Realm, if known`
			`} KERB_S4U_LOGON, *PKERB_S4U_LOGON;`

			`//`
			`// TBD: Flags for S4UToSelf() logon`
			`//`




			`//`
			`// Use the same profile structure as MSV1_0`
			`//`
			`typedef enum _KERB_PROFILE_BUFFER_TYPE {`
			`KerbInteractiveProfile = 2,`
			`KerbSmartCardProfile = 4,`
			`KerbTicketProfile = 6`
			`} KERB_PROFILE_BUFFER_TYPE, *PKERB_PROFILE_BUFFER_TYPE;`


			`typedef struct _KERB_INTERACTIVE_PROFILE {`
			`KERB_PROFILE_BUFFER_TYPE MessageType;`
			`USHORT LogonCount;`
			`USHORT BadPasswordCount;`
			`LARGE_INTEGER LogonTime;`
			`LARGE_INTEGER LogoffTime;`
			`LARGE_INTEGER KickOffTime;`
			`LARGE_INTEGER PasswordLastSet;`
			`LARGE_INTEGER PasswordCanChange;`
			`LARGE_INTEGER PasswordMustChange;`
			`UNICODE_STRING LogonScript;`
			`UNICODE_STRING HomeDirectory;`
			`UNICODE_STRING FullName;`
			`UNICODE_STRING ProfilePath;`
			`UNICODE_STRING HomeDirectoryDrive;`
			`UNICODE_STRING LogonServer;`
			`ULONG UserFlags;`
			`} KERB_INTERACTIVE_PROFILE, *PKERB_INTERACTIVE_PROFILE;`


			`//`
			`// For smart card, we return a smart card profile, which is an interactive`
			`// profile plus a certificate`
			`//`

			`typedef struct _KERB_SMART_CARD_PROFILE {`
			`KERB_INTERACTIVE_PROFILE Profile;`
			`ULONG CertificateSize;`
			`PUCHAR CertificateData;`
			`} KERB_SMART_CARD_PROFILE, *PKERB_SMART_CARD_PROFILE;`


			`//`
			`// For a ticket logon profile, we return the session key from the ticket`
			`//`


			`typedef struct KERB_CRYPTO_KEY {`
			`LONG KeyType;`
			`ULONG Length;`
			`PUCHAR Value;`
			`} KERB_CRYPTO_KEY, *PKERB_CRYPTO_KEY;`

			`typedef struct _KERB_TICKET_PROFILE {`
			`KERB_INTERACTIVE_PROFILE Profile;`
			`KERB_CRYPTO_KEY SessionKey;`
			`} KERB_TICKET_PROFILE, *PKERB_TICKET_PROFILE;`




			`typedef enum _KERB_PROTOCOL_MESSAGE_TYPE {`
			`KerbDebugRequestMessage = 0,`
			`KerbQueryTicketCacheMessage,`
			`KerbChangeMachinePasswordMessage,`
			`KerbVerifyPacMessage,`
			`KerbRetrieveTicketMessage,`
			`KerbUpdateAddressesMessage,`
			`KerbPurgeTicketCacheMessage,`
			`KerbChangePasswordMessage,`
			`KerbRetrieveEncodedTicketMessage,`
			`KerbDecryptDataMessage,`
			`KerbAddBindingCacheEntryMessage,`
			`KerbSetPasswordMessage,`
			`KerbSetPasswordExMessage,`
			`KerbVerifyCredentialsMessage,`
			`KerbQueryTicketCacheExMessage,`
			`KerbPurgeTicketCacheExMessage,`
			`// KerbRetrieveEncodedTicketExMessage,`
			`} KERB_PROTOCOL_MESSAGE_TYPE, *PKERB_PROTOCOL_MESSAGE_TYPE;`

			`// end_ntsecapi`

			`//`
			`// Structure for a debuggin requequest`
			`//`

			`#define KERB_DEBUG_REQ_BREAKPOINT 0x1`
			`#define KERB_DEBUG_REQ_CALL_PACK 0x2`
			`#define KERB_DEBUG_REQ_DATAGRAM 0x3`
			`#define KERB_DEBUG_REQ_STATISTICS 0x4`
			`#define KERB_DEBUG_CREATE_TOKEN 0x5`

			`typedef struct _KERB_DEBUG_REQUEST {`
			`KERB_PROTOCOL_MESSAGE_TYPE MessageType;`
			`ULONG DebugRequest;`
			`} KERB_DEBUG_REQUEST, *PKERB_DEBUG_REQUEST;`

			`typedef struct _KERB_DEBUG_REPLY {`
			`KERB_PROTOCOL_MESSAGE_TYPE MessageType;`
			`UCHAR Data[ANYSIZE_ARRAY];`
			`} KERB_DEBUG_REPLY, *PKERB_DEBUG_REPLY;`

			`typedef struct _KERB_DEBUG_STATS {`
			`ULONG CacheHits;`
			`ULONG CacheMisses;`
			`ULONG SkewedRequests;`
			`ULONG SuccessRequests;`
			`LARGE_INTEGER LastSync;`
			`} KERB_DEBUG_STATS, *PKERB_DEBUG_STATS;`

			`// begin_ntsecapi`

			`//`
			`// Used both for retrieving tickets and for querying ticket cache`
			`//`

			`typedef struct _KERB_QUERY_TKT_CACHE_REQUEST {`
			`KERB_PROTOCOL_MESSAGE_TYPE MessageType;`
			`LUID LogonId;`
			`} KERB_QUERY_TKT_CACHE_REQUEST, *PKERB_QUERY_TKT_CACHE_REQUEST;`


			`typedef struct _KERB_TICKET_CACHE_INFO {`
			`UNICODE_STRING ServerName;`
			`UNICODE_STRING RealmName;`
			`LARGE_INTEGER StartTime;`
			`LARGE_INTEGER EndTime;`
			`LARGE_INTEGER RenewTime;`
			`LONG EncryptionType;`
			`ULONG TicketFlags;`
			`} KERB_TICKET_CACHE_INFO, *PKERB_TICKET_CACHE_INFO;`


			`typedef struct _KERB_TICKET_CACHE_INFO_EX {`
			`UNICODE_STRING ClientName;`
			`UNICODE_STRING ClientRealm;`
			`UNICODE_STRING ServerName;`
			`UNICODE_STRING ServerRealm;`
			`LARGE_INTEGER StartTime;`
			`LARGE_INTEGER EndTime;`
			`LARGE_INTEGER RenewTime;`
			`LONG EncryptionType;`
			`ULONG TicketFlags;`
			`} KERB_TICKET_CACHE_INFO_EX, *PKERB_TICKET_CACHE_INFO_EX;`


			`typedef struct _KERB_QUERY_TKT_CACHE_RESPONSE {`
			`KERB_PROTOCOL_MESSAGE_TYPE MessageType;`
			`ULONG CountOfTickets;`
			`KERB_TICKET_CACHE_INFO Tickets[ANYSIZE_ARRAY];`
			`} KERB_QUERY_TKT_CACHE_RESPONSE, *PKERB_QUERY_TKT_CACHE_RESPONSE;`


			`typedef struct _KERB_QUERY_TKT_CACHE_EX_RESPONSE {`
			`KERB_PROTOCOL_MESSAGE_TYPE MessageType;`
			`ULONG CountOfTickets;`
			`KERB_TICKET_CACHE_INFO_EX Tickets[ANYSIZE_ARRAY];`
			`} KERB_QUERY_TKT_CACHE_EX_RESPONSE, *PKERB_QUERY_TKT_CACHE_EX_RESPONSE;`


			`//`
			`// Types for retrieving encoded ticket from the cache`
			`//`

			`#ifndef __SECHANDLE_DEFINED__`
			`typedef struct _SecHandle`
			`{`
			`ULONG_PTR dwLower ;`
			`ULONG_PTR dwUpper ;`
			`} SecHandle, * PSecHandle ;`

			`#define __SECHANDLE_DEFINED__`
			`#endif // __SECHANDLE_DEFINED__`

			`// Ticket Flags`
			`#define KERB_USE_DEFAULT_TICKET_FLAGS 0x0`

			`// CacheOptions`
			`#define KERB_RETRIEVE_TICKET_DEFAULT 0x0`
			`#define KERB_RETRIEVE_TICKET_DONT_USE_CACHE 0x1`
			`#define KERB_RETRIEVE_TICKET_USE_CACHE_ONLY 0x2`
			`#define KERB_RETRIEVE_TICKET_USE_CREDHANDLE 0x4`
			`#define KERB_RETRIEVE_TICKET_AS_KERB_CRED 0x8`
			`#define KERB_RETRIEVE_TICKET_WITH_SEC_CRED 0x10`

			`// Encryption Type options`
			`#define KERB_ETYPE_DEFAULT 0x0 // don't specify etype in tkt req.`

			`typedef struct _KERB_AUTH_DATA {`
			`ULONG Type;`
			`ULONG Length;`
			`PUCHAR Data;`
			`} KERB_AUTH_DATA, *PKERB_AUTH_DATA;`


			`typedef struct _KERB_NET_ADDRESS {`
			`ULONG Family;`
			`ULONG Length;`
			`PCHAR Address;`
			`} KERB_NET_ADDRESS, *PKERB_NET_ADDRESS;`


			`typedef struct _KERB_NET_ADDRESSES {`
			`ULONG Number;`
			`KERB_NET_ADDRESS Addresses[ANYSIZE_ARRAY];`
			`} KERB_NET_ADDRESSES, *PKERB_NET_ADDRESSES;`

			`//`
			`// Types for the information about a ticket`
			`//`

			`typedef struct _KERB_EXTERNAL_NAME {`
			`SHORT NameType;`
			`USHORT NameCount;`
			`UNICODE_STRING Names[ANYSIZE_ARRAY];`
			`} KERB_EXTERNAL_NAME, *PKERB_EXTERNAL_NAME;`


			`typedef struct _KERB_EXTERNAL_TICKET {`
			`PKERB_EXTERNAL_NAME ServiceName;`
			`PKERB_EXTERNAL_NAME TargetName;`
			`PKERB_EXTERNAL_NAME ClientName;`
			`UNICODE_STRING DomainName;`
			`UNICODE_STRING TargetDomainName;`
			`UNICODE_STRING AltTargetDomainName;`
			`KERB_CRYPTO_KEY SessionKey;`
			`ULONG TicketFlags;`
			`ULONG Flags;`
			`LARGE_INTEGER KeyExpirationTime;`
			`LARGE_INTEGER StartTime;`
			`LARGE_INTEGER EndTime;`
			`LARGE_INTEGER RenewUntil;`
			`LARGE_INTEGER TimeSkew;`
			`ULONG EncodedTicketSize;`
			`PUCHAR EncodedTicket;`
			`} KERB_EXTERNAL_TICKET, *PKERB_EXTERNAL_TICKET;`

			`#if 0`

			`typedef struct _KERB_EXTERNAL_TICKET_EX {`
			`PKERB_EXTERNAL_NAME ClientName;`
			`PKERB_EXTERNAL_NAME ServiceName;`
			`PKERB_EXTERNAL_NAME TargetName;`
			`UNICODE_STRING ClientRealm;`
			`UNICODE_STRING ServerRealm;`
			`UNICODE_STRING TargetDomainName;`
			`UNICODE_STRING AltTargetDomainName;`
			`KERB_CRYPTO_KEY SessionKey;`
			`ULONG TicketFlags;`
			`ULONG Flags;`
			`LARGE_INTEGER KeyExpirationTime;`
			`LARGE_INTEGER StartTime;`
			`LARGE_INTEGER EndTime;`
			`LARGE_INTEGER RenewUntil;`
			`LARGE_INTEGER TimeSkew;`
			`PKERB_NET_ADDRESSES TicketAddresses;`
			`PKERB_AUTH_DATA AuthorizationData;`
			`_KERB_EXTERNAL_TICKET_EX * SecondTicket;`
			`ULONG EncodedTicketSize;`
			`PUCHAR EncodedTicket;`
			`} KERB_EXTERNAL_TICKET_EX, *PKERB_EXTERNAL_TICKET_EX;`

			`#endif // 0`

			`typedef struct _KERB_RETRIEVE_TKT_REQUEST {`
			`KERB_PROTOCOL_MESSAGE_TYPE MessageType;`
			`LUID LogonId;`
			`UNICODE_STRING TargetName;`
			`ULONG TicketFlags;`
			`ULONG CacheOptions;`
			`LONG EncryptionType;`
			`SecHandle CredentialsHandle;`
			`} KERB_RETRIEVE_TKT_REQUEST, *PKERB_RETRIEVE_TKT_REQUEST;`

			`#if 0`

			`typedef struct _KERB_RETRIEVE_TKT_EX_REQUEST {`
			`KERB_PROTOCOL_MESSAGE_TYPE MessageType;`
			`LUID LogonId;`
			`KERB_TICKET_CACHE_INFO_EX TicketTemplate;`
			`ULONG CacheOptions;`
			`SecHandle CredentialsHandle;`
			`PKERB_EXTERNAL_TICKET_EX SecondTicket;`
			`PKERB_AUTH_DATA UserAuthData;`
			`PKERB_NET_ADDRESS Addresses;`
			`} KERB_RETRIEVE_TKT_EX_REQUEST, *PKERB_RETRIEVE_TKT_EX_REQUEST;`

			`#endif // 0`

			`typedef struct _KERB_RETRIEVE_TKT_RESPONSE {`
			`KERB_EXTERNAL_TICKET Ticket;`
			`} KERB_RETRIEVE_TKT_RESPONSE, *PKERB_RETRIEVE_TKT_RESPONSE;`

			`#if 0`

			`typedef struct _KERB_RETRIEVE_TKT_EX_RESPONSE {`
			`KERB_EXTERNAL_TICKET_EX Ticket;`
			`} KERB_RETRIEVE_TKT_EX_RESPONSE, *PKERB_RETRIEVE_TKT_EX_RESPONSE;`

			`#endif // 0`

			`//`
			`// Used to purge entries from the ticket cache`
			`//`

			`typedef struct _KERB_PURGE_TKT_CACHE_REQUEST {`
			`KERB_PROTOCOL_MESSAGE_TYPE MessageType;`
			`LUID LogonId;`
			`UNICODE_STRING ServerName;`
			`UNICODE_STRING RealmName;`
			`} KERB_PURGE_TKT_CACHE_REQUEST, *PKERB_PURGE_TKT_CACHE_REQUEST;`

			`//`
			`// Flags for purge requests`
			`//`

			`#define KERB_PURGE_ALL_TICKETS 1`

			`typedef struct _KERB_PURGE_TKT_CACHE_EX_REQUEST {`
			`KERB_PROTOCOL_MESSAGE_TYPE MessageType;`
			`LUID LogonId;`
			`ULONG Flags;`
			`KERB_TICKET_CACHE_INFO_EX TicketTemplate;`
			`} KERB_PURGE_TKT_CACHE_EX_REQUEST, *PKERB_PURGE_TKT_CACHE_EX_REQUEST;`


			`// end_ntsecapi`

			`//`
			`// This must match NT_OWF_PASSWORD_LENGTH`
			`//`


			`typedef struct _KERB_CHANGE_MACH_PWD_REQUEST {`
			`KERB_PROTOCOL_MESSAGE_TYPE MessageType;`
			`UNICODE_STRING NewPassword;`
			`UNICODE_STRING OldPassword;`
			`} KERB_CHANGE_MACH_PWD_REQUEST, *PKERB_CHANGE_MACH_PWD_REQUEST;`

			`//`
			`// These messages are used by the kerberos package to verify that the PAC in a`
			`// ticket is valid. It is remoted from a workstation to a DC in the workstation's`
			`// domain. On failure there is no response message. On success there may be no`
			`// message or the same message may be used to send back a PAC updated with`
			`// local groups from the domain controller. The checksum is placed in the`
			`// final buffer first, followed by the signature.`
			`//`

			`#include <pshpack1.h>`
			`typedef struct _KERB_VERIFY_PAC_REQUEST {`
			`KERB_PROTOCOL_MESSAGE_TYPE MessageType;`
			`ULONG ChecksumLength;`
			`ULONG SignatureType;`
			`ULONG SignatureLength;`
			`UCHAR ChecksumAndSignature[ANYSIZE_ARRAY];`
			`} KERB_VERIFY_PAC_REQUEST, *PKERB_VERIFY_PAC_REQUEST;`


			`//`
			`// Message for update Kerberos's list of addresses. The address count should`
			`// be the number of addresses & the addresses should be an array of`
			`// SOCKET_ADDRESS structures. The message type should be KerbUpdateAddressesMessage`
			`//`


			`typedef struct _KERB_UPDATE_ADDRESSES_REQUEST {`
			`KERB_PROTOCOL_MESSAGE_TYPE MessageType;`
			`ULONG AddressCount;`
			`ULONG Addresses[ANYSIZE_ARRAY]; // array of SOCKET_ADDRESS structures`
			`} KERB_UPDATE_ADDRESSES_REQUEST, *PKERB_UPDATE_ADDRESSES_REQUEST;`
			`#include <poppack.h>`

			`// begin_ntsecapi`

			`//`
			`// KerbChangePassword`
			`//`
			`// KerbChangePassword changes the password on the KDC account plus`
			`// the password cache and logon credentials if applicable.`
			`//`
			`//`

			`typedef struct _KERB_CHANGEPASSWORD_REQUEST {`
			`KERB_PROTOCOL_MESSAGE_TYPE MessageType;`
			`UNICODE_STRING DomainName;`
			`UNICODE_STRING AccountName;`
			`UNICODE_STRING OldPassword;`
			`UNICODE_STRING NewPassword;`
			`BOOLEAN Impersonating;`
			`} KERB_CHANGEPASSWORD_REQUEST, *PKERB_CHANGEPASSWORD_REQUEST;`











			`//`
			`// KerbSetPassword`
			`//`
			`// KerbSetPassword changes the password on the KDC account plus`
			`// the password cache and logon credentials if applicable.`
			`//`
			`//`

			`typedef struct _KERB_SETPASSWORD_REQUEST {`
			`KERB_PROTOCOL_MESSAGE_TYPE MessageType;`
			`LUID LogonId;`
			`SecHandle CredentialsHandle;`
			`ULONG Flags;`
			`UNICODE_STRING DomainName;`
			`UNICODE_STRING AccountName;`
			`UNICODE_STRING Password;`
			`} KERB_SETPASSWORD_REQUEST, *PKERB_SETPASSWORD_REQUEST;`


			`typedef struct _KERB_SETPASSWORD_EX_REQUEST {`
			`KERB_PROTOCOL_MESSAGE_TYPE MessageType;`
			`LUID LogonId;`
			`SecHandle CredentialsHandle;`
			`ULONG Flags;`
			`UNICODE_STRING AccountRealm;`
			`UNICODE_STRING AccountName;`
			`UNICODE_STRING Password;`
			`UNICODE_STRING ClientRealm;`
			`UNICODE_STRING ClientName;`
			`BOOLEAN Impersonating;`
			`UNICODE_STRING KdcAddress;`
			`ULONG KdcAddressType;`
			`} KERB_SETPASSWORD_EX_REQUEST, *PKERB_SETPASSWORD_EX_REQUEST;`


			`#define DS_UNKNOWN_ADDRESS_TYPE 0 // anything but IP`
			`#define KERB_SETPASS_USE_LOGONID 1`
			`#define KERB_SETPASS_USE_CREDHANDLE 2`


			`typedef struct _KERB_DECRYPT_REQUEST {`
			`KERB_PROTOCOL_MESSAGE_TYPE MessageType;`
			`LUID LogonId;`
			`ULONG Flags;`
			`LONG CryptoType;`
			`LONG KeyUsage;`
			`KERB_CRYPTO_KEY Key; // optional`
			`ULONG EncryptedDataSize;`
			`ULONG InitialVectorSize;`
			`PUCHAR InitialVector;`
			`PUCHAR EncryptedData;`
			`} KERB_DECRYPT_REQUEST, *PKERB_DECRYPT_REQUEST;`

			`//`
			`// If set, use the primary key from the current logon session of the one provided in the LogonId field.`
			`// Otherwise, use the Key in the KERB_DECRYPT_MESSAGE.`

			`#define KERB_DECRYPT_FLAG_DEFAULT_KEY 0x00000001`


			`typedef struct _KERB_DECRYPT_RESPONSE {`
			`UCHAR DecryptedData[ANYSIZE_ARRAY];`
			`} KERB_DECRYPT_RESPONSE, *PKERB_DECRYPT_RESPONSE;`


			`//`
			`// Request structure for adding a binding cache entry. TCB privilege`
			`// is required for this operation.`
			`//`

			`typedef struct _KERB_ADD_BINDING_CACHE_ENTRY_REQUEST {`
			`KERB_PROTOCOL_MESSAGE_TYPE MessageType;`
			`UNICODE_STRING RealmName;`
			`UNICODE_STRING KdcAddress;`
			`ULONG AddressType; //dsgetdc.h DS_NETBIOS_ADDRESS\|\|DS_INET_ADDRESS`
			`} KERB_ADD_BINDING_CACHE_ENTRY_REQUEST, *PKERB_ADD_BINDING_CACHE_ENTRY_REQUEST;`



			`// end_ntsecapi`

			`typedef struct _KERB_VERIFY_CREDENTIALS_REQUEST {`
			`KERB_PROTOCOL_MESSAGE_TYPE MessageType;`
			`UNICODE_STRING UserName;`
			`UNICODE_STRING DomainName;`
			`UNICODE_STRING Password;`
			`ULONG VerifyFlags;`
			`} KERB_VERIFY_CREDENTIALS_REQUEST, *PKERB_VERIFY_CREDENTIALS_REQUEST;`


			`//`
			`// Location of Kerb authentication package data`
			`//`

			`#define KERB_SUBAUTHENTICATION_KEY "SYSTEM\\CurrentControlSet\\Control\\Lsa\\Kerberos"`
			`#define KERB_SUBAUTHENTICATION_VALUE "Auth"`
			`#define KERB_SUBAUTHENTICATION_MASK 0x7fffffff`
			`#define KERB_SUBAUTHENTICATION_FLAG 0x80000000`


			`#endif // __KERBEROS_H__`