windows-nt/Source/XPSP1/NT/ds/published/inc/kerberos.w
2020-09-26 16:20:57 +08:00

655 lines
18 KiB
OpenEdge ABL

//+-----------------------------------------------------------------------
//
// Copyright (c) 1990-1999 Microsoft Corporation
//
// File: KERBEROS.H
//
// Contents: Public Kerberos Security Package structures for use
// with APIs from SECURITY.H
//
//
// History: 26 Feb 92, RichardW Compiled from other files
//
//------------------------------------------------------------------------
#ifndef __KERBEROS_H__
#define __KERBEROS_H__
#if _MSC_VER > 1000
#pragma once
#endif
#include <ntmsv1_0.h>
#include <kerbcon.h>
// begin_ntsecapi
#ifndef MICROSOFT_KERBEROS_NAME_A
#define MICROSOFT_KERBEROS_NAME_A "Kerberos"
#define MICROSOFT_KERBEROS_NAME_W L"Kerberos"
#ifdef WIN32_CHICAGO
#define MICROSOFT_KERBEROS_NAME MICROSOFT_KERBEROS_NAME_A
#else
#define MICROSOFT_KERBEROS_NAME MICROSOFT_KERBEROS_NAME_W
#endif // WIN32_CHICAGO
#endif // MICROSOFT_KERBEROS_NAME_A
// end_ntsecapi
typedef struct _KERB_INIT_CONTEXT_DATA {
LARGE_INTEGER StartTime; // Start time
LARGE_INTEGER EndTime; // End time
LARGE_INTEGER RenewUntilTime; // Renew until time
ULONG TicketOptions; // From krb5.h
ULONG RequestOptions; // Options on what to return
} KERB_INIT_CONTEXT_DATA, *PKERB_INIT_CONTEXT_DATA;
#define KERB_INIT_RETURN_TICKET 0x1 // return raw ticket
#define KERB_INIT_RETURN_MIT_AP_REQ 0x2 // return MIT style AP request
// begin_ntsecapi
/////////////////////////////////////////////////////////////////////////
//
// Quality of protection parameters for MakeSignature / EncryptMessage
//
/////////////////////////////////////////////////////////////////////////
//
// This flag indicates to EncryptMessage that the message is not to actually
// be encrypted, but a header/trailer are to be produced.
//
#define KERB_WRAP_NO_ENCRYPT 0x80000001
/////////////////////////////////////////////////////////////////////////
//
// LsaLogonUser parameters
//
/////////////////////////////////////////////////////////////////////////
typedef enum _KERB_LOGON_SUBMIT_TYPE {
KerbInteractiveLogon = 2,
KerbSmartCardLogon = 6,
KerbWorkstationUnlockLogon = 7,
KerbSmartCardUnlockLogon = 8,
KerbProxyLogon = 9,
KerbTicketLogon = 10,
KerbTicketUnlockLogon = 11,
KerbS4ULogon = 12
} KERB_LOGON_SUBMIT_TYPE, *PKERB_LOGON_SUBMIT_TYPE;
typedef struct _KERB_INTERACTIVE_LOGON {
KERB_LOGON_SUBMIT_TYPE MessageType;
UNICODE_STRING LogonDomainName;
UNICODE_STRING UserName;
UNICODE_STRING Password;
} KERB_INTERACTIVE_LOGON, *PKERB_INTERACTIVE_LOGON;
typedef struct _KERB_INTERACTIVE_UNLOCK_LOGON {
KERB_INTERACTIVE_LOGON Logon;
LUID LogonId;
} KERB_INTERACTIVE_UNLOCK_LOGON, *PKERB_INTERACTIVE_UNLOCK_LOGON;
typedef struct _KERB_SMART_CARD_LOGON {
KERB_LOGON_SUBMIT_TYPE MessageType;
UNICODE_STRING Pin;
ULONG CspDataLength;
PUCHAR CspData;
} KERB_SMART_CARD_LOGON, *PKERB_SMART_CARD_LOGON;
typedef struct _KERB_SMART_CARD_UNLOCK_LOGON {
KERB_SMART_CARD_LOGON Logon;
LUID LogonId;
} KERB_SMART_CARD_UNLOCK_LOGON, *PKERB_SMART_CARD_UNLOCK_LOGON;
//
// Structure used for a ticket-only logon
//
typedef struct _KERB_TICKET_LOGON {
KERB_LOGON_SUBMIT_TYPE MessageType;
ULONG Flags;
ULONG ServiceTicketLength;
ULONG TicketGrantingTicketLength;
PUCHAR ServiceTicket; // REQUIRED: Service ticket "host"
PUCHAR TicketGrantingTicket; // OPTIONAL: User's encdoded in a KERB_CRED message, encrypted with session key from service ticket
} KERB_TICKET_LOGON, *PKERB_TICKET_LOGON;
//
// Flags for the ticket logon flags field
//
#define KERB_LOGON_FLAG_ALLOW_EXPIRED_TICKET 0x1
typedef struct _KERB_TICKET_UNLOCK_LOGON {
KERB_TICKET_LOGON Logon;
LUID LogonId;
} KERB_TICKET_UNLOCK_LOGON, *PKERB_TICKET_UNLOCK_LOGON;
//
// Used for S4U Client requests
//
//
typedef struct _KERB_S4U_LOGON {
KERB_LOGON_SUBMIT_TYPE MessageType;
ULONG Flags;
UNICODE_STRING ClientUpn; // REQUIRED: UPN for client
UNICODE_STRING ClientRealm; // Optional: Client Realm, if known
} KERB_S4U_LOGON, *PKERB_S4U_LOGON;
//
// TBD: Flags for S4UToSelf() logon
//
//
// Use the same profile structure as MSV1_0
//
typedef enum _KERB_PROFILE_BUFFER_TYPE {
KerbInteractiveProfile = 2,
KerbSmartCardProfile = 4,
KerbTicketProfile = 6
} KERB_PROFILE_BUFFER_TYPE, *PKERB_PROFILE_BUFFER_TYPE;
typedef struct _KERB_INTERACTIVE_PROFILE {
KERB_PROFILE_BUFFER_TYPE MessageType;
USHORT LogonCount;
USHORT BadPasswordCount;
LARGE_INTEGER LogonTime;
LARGE_INTEGER LogoffTime;
LARGE_INTEGER KickOffTime;
LARGE_INTEGER PasswordLastSet;
LARGE_INTEGER PasswordCanChange;
LARGE_INTEGER PasswordMustChange;
UNICODE_STRING LogonScript;
UNICODE_STRING HomeDirectory;
UNICODE_STRING FullName;
UNICODE_STRING ProfilePath;
UNICODE_STRING HomeDirectoryDrive;
UNICODE_STRING LogonServer;
ULONG UserFlags;
} KERB_INTERACTIVE_PROFILE, *PKERB_INTERACTIVE_PROFILE;
//
// For smart card, we return a smart card profile, which is an interactive
// profile plus a certificate
//
typedef struct _KERB_SMART_CARD_PROFILE {
KERB_INTERACTIVE_PROFILE Profile;
ULONG CertificateSize;
PUCHAR CertificateData;
} KERB_SMART_CARD_PROFILE, *PKERB_SMART_CARD_PROFILE;
//
// For a ticket logon profile, we return the session key from the ticket
//
typedef struct KERB_CRYPTO_KEY {
LONG KeyType;
ULONG Length;
PUCHAR Value;
} KERB_CRYPTO_KEY, *PKERB_CRYPTO_KEY;
typedef struct _KERB_TICKET_PROFILE {
KERB_INTERACTIVE_PROFILE Profile;
KERB_CRYPTO_KEY SessionKey;
} KERB_TICKET_PROFILE, *PKERB_TICKET_PROFILE;
typedef enum _KERB_PROTOCOL_MESSAGE_TYPE {
KerbDebugRequestMessage = 0,
KerbQueryTicketCacheMessage,
KerbChangeMachinePasswordMessage,
KerbVerifyPacMessage,
KerbRetrieveTicketMessage,
KerbUpdateAddressesMessage,
KerbPurgeTicketCacheMessage,
KerbChangePasswordMessage,
KerbRetrieveEncodedTicketMessage,
KerbDecryptDataMessage,
KerbAddBindingCacheEntryMessage,
KerbSetPasswordMessage,
KerbSetPasswordExMessage,
KerbVerifyCredentialsMessage,
KerbQueryTicketCacheExMessage,
KerbPurgeTicketCacheExMessage,
// KerbRetrieveEncodedTicketExMessage,
} KERB_PROTOCOL_MESSAGE_TYPE, *PKERB_PROTOCOL_MESSAGE_TYPE;
// end_ntsecapi
//
// Structure for a debuggin requequest
//
#define KERB_DEBUG_REQ_BREAKPOINT 0x1
#define KERB_DEBUG_REQ_CALL_PACK 0x2
#define KERB_DEBUG_REQ_DATAGRAM 0x3
#define KERB_DEBUG_REQ_STATISTICS 0x4
#define KERB_DEBUG_CREATE_TOKEN 0x5
typedef struct _KERB_DEBUG_REQUEST {
KERB_PROTOCOL_MESSAGE_TYPE MessageType;
ULONG DebugRequest;
} KERB_DEBUG_REQUEST, *PKERB_DEBUG_REQUEST;
typedef struct _KERB_DEBUG_REPLY {
KERB_PROTOCOL_MESSAGE_TYPE MessageType;
UCHAR Data[ANYSIZE_ARRAY];
} KERB_DEBUG_REPLY, *PKERB_DEBUG_REPLY;
typedef struct _KERB_DEBUG_STATS {
ULONG CacheHits;
ULONG CacheMisses;
ULONG SkewedRequests;
ULONG SuccessRequests;
LARGE_INTEGER LastSync;
} KERB_DEBUG_STATS, *PKERB_DEBUG_STATS;
// begin_ntsecapi
//
// Used both for retrieving tickets and for querying ticket cache
//
typedef struct _KERB_QUERY_TKT_CACHE_REQUEST {
KERB_PROTOCOL_MESSAGE_TYPE MessageType;
LUID LogonId;
} KERB_QUERY_TKT_CACHE_REQUEST, *PKERB_QUERY_TKT_CACHE_REQUEST;
typedef struct _KERB_TICKET_CACHE_INFO {
UNICODE_STRING ServerName;
UNICODE_STRING RealmName;
LARGE_INTEGER StartTime;
LARGE_INTEGER EndTime;
LARGE_INTEGER RenewTime;
LONG EncryptionType;
ULONG TicketFlags;
} KERB_TICKET_CACHE_INFO, *PKERB_TICKET_CACHE_INFO;
typedef struct _KERB_TICKET_CACHE_INFO_EX {
UNICODE_STRING ClientName;
UNICODE_STRING ClientRealm;
UNICODE_STRING ServerName;
UNICODE_STRING ServerRealm;
LARGE_INTEGER StartTime;
LARGE_INTEGER EndTime;
LARGE_INTEGER RenewTime;
LONG EncryptionType;
ULONG TicketFlags;
} KERB_TICKET_CACHE_INFO_EX, *PKERB_TICKET_CACHE_INFO_EX;
typedef struct _KERB_QUERY_TKT_CACHE_RESPONSE {
KERB_PROTOCOL_MESSAGE_TYPE MessageType;
ULONG CountOfTickets;
KERB_TICKET_CACHE_INFO Tickets[ANYSIZE_ARRAY];
} KERB_QUERY_TKT_CACHE_RESPONSE, *PKERB_QUERY_TKT_CACHE_RESPONSE;
typedef struct _KERB_QUERY_TKT_CACHE_EX_RESPONSE {
KERB_PROTOCOL_MESSAGE_TYPE MessageType;
ULONG CountOfTickets;
KERB_TICKET_CACHE_INFO_EX Tickets[ANYSIZE_ARRAY];
} KERB_QUERY_TKT_CACHE_EX_RESPONSE, *PKERB_QUERY_TKT_CACHE_EX_RESPONSE;
//
// Types for retrieving encoded ticket from the cache
//
#ifndef __SECHANDLE_DEFINED__
typedef struct _SecHandle
{
ULONG_PTR dwLower ;
ULONG_PTR dwUpper ;
} SecHandle, * PSecHandle ;
#define __SECHANDLE_DEFINED__
#endif // __SECHANDLE_DEFINED__
// Ticket Flags
#define KERB_USE_DEFAULT_TICKET_FLAGS 0x0
// CacheOptions
#define KERB_RETRIEVE_TICKET_DEFAULT 0x0
#define KERB_RETRIEVE_TICKET_DONT_USE_CACHE 0x1
#define KERB_RETRIEVE_TICKET_USE_CACHE_ONLY 0x2
#define KERB_RETRIEVE_TICKET_USE_CREDHANDLE 0x4
#define KERB_RETRIEVE_TICKET_AS_KERB_CRED 0x8
#define KERB_RETRIEVE_TICKET_WITH_SEC_CRED 0x10
// Encryption Type options
#define KERB_ETYPE_DEFAULT 0x0 // don't specify etype in tkt req.
typedef struct _KERB_AUTH_DATA {
ULONG Type;
ULONG Length;
PUCHAR Data;
} KERB_AUTH_DATA, *PKERB_AUTH_DATA;
typedef struct _KERB_NET_ADDRESS {
ULONG Family;
ULONG Length;
PCHAR Address;
} KERB_NET_ADDRESS, *PKERB_NET_ADDRESS;
typedef struct _KERB_NET_ADDRESSES {
ULONG Number;
KERB_NET_ADDRESS Addresses[ANYSIZE_ARRAY];
} KERB_NET_ADDRESSES, *PKERB_NET_ADDRESSES;
//
// Types for the information about a ticket
//
typedef struct _KERB_EXTERNAL_NAME {
SHORT NameType;
USHORT NameCount;
UNICODE_STRING Names[ANYSIZE_ARRAY];
} KERB_EXTERNAL_NAME, *PKERB_EXTERNAL_NAME;
typedef struct _KERB_EXTERNAL_TICKET {
PKERB_EXTERNAL_NAME ServiceName;
PKERB_EXTERNAL_NAME TargetName;
PKERB_EXTERNAL_NAME ClientName;
UNICODE_STRING DomainName;
UNICODE_STRING TargetDomainName;
UNICODE_STRING AltTargetDomainName;
KERB_CRYPTO_KEY SessionKey;
ULONG TicketFlags;
ULONG Flags;
LARGE_INTEGER KeyExpirationTime;
LARGE_INTEGER StartTime;
LARGE_INTEGER EndTime;
LARGE_INTEGER RenewUntil;
LARGE_INTEGER TimeSkew;
ULONG EncodedTicketSize;
PUCHAR EncodedTicket;
} KERB_EXTERNAL_TICKET, *PKERB_EXTERNAL_TICKET;
#if 0
typedef struct _KERB_EXTERNAL_TICKET_EX {
PKERB_EXTERNAL_NAME ClientName;
PKERB_EXTERNAL_NAME ServiceName;
PKERB_EXTERNAL_NAME TargetName;
UNICODE_STRING ClientRealm;
UNICODE_STRING ServerRealm;
UNICODE_STRING TargetDomainName;
UNICODE_STRING AltTargetDomainName;
KERB_CRYPTO_KEY SessionKey;
ULONG TicketFlags;
ULONG Flags;
LARGE_INTEGER KeyExpirationTime;
LARGE_INTEGER StartTime;
LARGE_INTEGER EndTime;
LARGE_INTEGER RenewUntil;
LARGE_INTEGER TimeSkew;
PKERB_NET_ADDRESSES TicketAddresses;
PKERB_AUTH_DATA AuthorizationData;
_KERB_EXTERNAL_TICKET_EX * SecondTicket;
ULONG EncodedTicketSize;
PUCHAR EncodedTicket;
} KERB_EXTERNAL_TICKET_EX, *PKERB_EXTERNAL_TICKET_EX;
#endif // 0
typedef struct _KERB_RETRIEVE_TKT_REQUEST {
KERB_PROTOCOL_MESSAGE_TYPE MessageType;
LUID LogonId;
UNICODE_STRING TargetName;
ULONG TicketFlags;
ULONG CacheOptions;
LONG EncryptionType;
SecHandle CredentialsHandle;
} KERB_RETRIEVE_TKT_REQUEST, *PKERB_RETRIEVE_TKT_REQUEST;
#if 0
typedef struct _KERB_RETRIEVE_TKT_EX_REQUEST {
KERB_PROTOCOL_MESSAGE_TYPE MessageType;
LUID LogonId;
KERB_TICKET_CACHE_INFO_EX TicketTemplate;
ULONG CacheOptions;
SecHandle CredentialsHandle;
PKERB_EXTERNAL_TICKET_EX SecondTicket;
PKERB_AUTH_DATA UserAuthData;
PKERB_NET_ADDRESS Addresses;
} KERB_RETRIEVE_TKT_EX_REQUEST, *PKERB_RETRIEVE_TKT_EX_REQUEST;
#endif // 0
typedef struct _KERB_RETRIEVE_TKT_RESPONSE {
KERB_EXTERNAL_TICKET Ticket;
} KERB_RETRIEVE_TKT_RESPONSE, *PKERB_RETRIEVE_TKT_RESPONSE;
#if 0
typedef struct _KERB_RETRIEVE_TKT_EX_RESPONSE {
KERB_EXTERNAL_TICKET_EX Ticket;
} KERB_RETRIEVE_TKT_EX_RESPONSE, *PKERB_RETRIEVE_TKT_EX_RESPONSE;
#endif // 0
//
// Used to purge entries from the ticket cache
//
typedef struct _KERB_PURGE_TKT_CACHE_REQUEST {
KERB_PROTOCOL_MESSAGE_TYPE MessageType;
LUID LogonId;
UNICODE_STRING ServerName;
UNICODE_STRING RealmName;
} KERB_PURGE_TKT_CACHE_REQUEST, *PKERB_PURGE_TKT_CACHE_REQUEST;
//
// Flags for purge requests
//
#define KERB_PURGE_ALL_TICKETS 1
typedef struct _KERB_PURGE_TKT_CACHE_EX_REQUEST {
KERB_PROTOCOL_MESSAGE_TYPE MessageType;
LUID LogonId;
ULONG Flags;
KERB_TICKET_CACHE_INFO_EX TicketTemplate;
} KERB_PURGE_TKT_CACHE_EX_REQUEST, *PKERB_PURGE_TKT_CACHE_EX_REQUEST;
// end_ntsecapi
//
// This must match NT_OWF_PASSWORD_LENGTH
//
typedef struct _KERB_CHANGE_MACH_PWD_REQUEST {
KERB_PROTOCOL_MESSAGE_TYPE MessageType;
UNICODE_STRING NewPassword;
UNICODE_STRING OldPassword;
} KERB_CHANGE_MACH_PWD_REQUEST, *PKERB_CHANGE_MACH_PWD_REQUEST;
//
// These messages are used by the kerberos package to verify that the PAC in a
// ticket is valid. It is remoted from a workstation to a DC in the workstation's
// domain. On failure there is no response message. On success there may be no
// message or the same message may be used to send back a PAC updated with
// local groups from the domain controller. The checksum is placed in the
// final buffer first, followed by the signature.
//
#include <pshpack1.h>
typedef struct _KERB_VERIFY_PAC_REQUEST {
KERB_PROTOCOL_MESSAGE_TYPE MessageType;
ULONG ChecksumLength;
ULONG SignatureType;
ULONG SignatureLength;
UCHAR ChecksumAndSignature[ANYSIZE_ARRAY];
} KERB_VERIFY_PAC_REQUEST, *PKERB_VERIFY_PAC_REQUEST;
//
// Message for update Kerberos's list of addresses. The address count should
// be the number of addresses & the addresses should be an array of
// SOCKET_ADDRESS structures. The message type should be KerbUpdateAddressesMessage
//
typedef struct _KERB_UPDATE_ADDRESSES_REQUEST {
KERB_PROTOCOL_MESSAGE_TYPE MessageType;
ULONG AddressCount;
ULONG Addresses[ANYSIZE_ARRAY]; // array of SOCKET_ADDRESS structures
} KERB_UPDATE_ADDRESSES_REQUEST, *PKERB_UPDATE_ADDRESSES_REQUEST;
#include <poppack.h>
// begin_ntsecapi
//
// KerbChangePassword
//
// KerbChangePassword changes the password on the KDC account plus
// the password cache and logon credentials if applicable.
//
//
typedef struct _KERB_CHANGEPASSWORD_REQUEST {
KERB_PROTOCOL_MESSAGE_TYPE MessageType;
UNICODE_STRING DomainName;
UNICODE_STRING AccountName;
UNICODE_STRING OldPassword;
UNICODE_STRING NewPassword;
BOOLEAN Impersonating;
} KERB_CHANGEPASSWORD_REQUEST, *PKERB_CHANGEPASSWORD_REQUEST;
//
// KerbSetPassword
//
// KerbSetPassword changes the password on the KDC account plus
// the password cache and logon credentials if applicable.
//
//
typedef struct _KERB_SETPASSWORD_REQUEST {
KERB_PROTOCOL_MESSAGE_TYPE MessageType;
LUID LogonId;
SecHandle CredentialsHandle;
ULONG Flags;
UNICODE_STRING DomainName;
UNICODE_STRING AccountName;
UNICODE_STRING Password;
} KERB_SETPASSWORD_REQUEST, *PKERB_SETPASSWORD_REQUEST;
typedef struct _KERB_SETPASSWORD_EX_REQUEST {
KERB_PROTOCOL_MESSAGE_TYPE MessageType;
LUID LogonId;
SecHandle CredentialsHandle;
ULONG Flags;
UNICODE_STRING AccountRealm;
UNICODE_STRING AccountName;
UNICODE_STRING Password;
UNICODE_STRING ClientRealm;
UNICODE_STRING ClientName;
BOOLEAN Impersonating;
UNICODE_STRING KdcAddress;
ULONG KdcAddressType;
} KERB_SETPASSWORD_EX_REQUEST, *PKERB_SETPASSWORD_EX_REQUEST;
#define DS_UNKNOWN_ADDRESS_TYPE 0 // anything *but* IP
#define KERB_SETPASS_USE_LOGONID 1
#define KERB_SETPASS_USE_CREDHANDLE 2
typedef struct _KERB_DECRYPT_REQUEST {
KERB_PROTOCOL_MESSAGE_TYPE MessageType;
LUID LogonId;
ULONG Flags;
LONG CryptoType;
LONG KeyUsage;
KERB_CRYPTO_KEY Key; // optional
ULONG EncryptedDataSize;
ULONG InitialVectorSize;
PUCHAR InitialVector;
PUCHAR EncryptedData;
} KERB_DECRYPT_REQUEST, *PKERB_DECRYPT_REQUEST;
//
// If set, use the primary key from the current logon session of the one provided in the LogonId field.
// Otherwise, use the Key in the KERB_DECRYPT_MESSAGE.
#define KERB_DECRYPT_FLAG_DEFAULT_KEY 0x00000001
typedef struct _KERB_DECRYPT_RESPONSE {
UCHAR DecryptedData[ANYSIZE_ARRAY];
} KERB_DECRYPT_RESPONSE, *PKERB_DECRYPT_RESPONSE;
//
// Request structure for adding a binding cache entry. TCB privilege
// is required for this operation.
//
typedef struct _KERB_ADD_BINDING_CACHE_ENTRY_REQUEST {
KERB_PROTOCOL_MESSAGE_TYPE MessageType;
UNICODE_STRING RealmName;
UNICODE_STRING KdcAddress;
ULONG AddressType; //dsgetdc.h DS_NETBIOS_ADDRESS||DS_INET_ADDRESS
} KERB_ADD_BINDING_CACHE_ENTRY_REQUEST, *PKERB_ADD_BINDING_CACHE_ENTRY_REQUEST;
// end_ntsecapi
typedef struct _KERB_VERIFY_CREDENTIALS_REQUEST {
KERB_PROTOCOL_MESSAGE_TYPE MessageType;
UNICODE_STRING UserName;
UNICODE_STRING DomainName;
UNICODE_STRING Password;
ULONG VerifyFlags;
} KERB_VERIFY_CREDENTIALS_REQUEST, *PKERB_VERIFY_CREDENTIALS_REQUEST;
//
// Location of Kerb authentication package data
//
#define KERB_SUBAUTHENTICATION_KEY "SYSTEM\\CurrentControlSet\\Control\\Lsa\\Kerberos"
#define KERB_SUBAUTHENTICATION_VALUE "Auth"
#define KERB_SUBAUTHENTICATION_MASK 0x7fffffff
#define KERB_SUBAUTHENTICATION_FLAG 0x80000000
#endif // __KERBEROS_H__