format of authorization data in a win2k ticket

Assar Westerlund assar at
Wed Sep 22 03:02:34 GMT 1999

[ note mailing lists in headers, feel free to trim list in any replies ]

I did some testing with Heimdal against a Windows 2000 rc1 KDC and
after having managed to a client on the w2k-box to authenticate to my
server I got ahold of an encrypted ticket with the extra authorization
data in it.  The entire contents of the authorization data that I got
is available at <>.

Decoding it, you get a AuthorizationData with tag AD-IF-RELEVANT and
then in the data portion of that:

UNIV CONS Sequence = {
  UNIV CONS Sequence = {
    CONTEXT CONS tag 0 = [0]
    UNIV PRIM Integer = integer 128
    CONTEXT CONS tag 1 = [1]
    UNIV PRIM OctetString = length = 776, 04000000000000000100000068020000 <...>

And the octet string contains lots of uninterpretable data (too me)
but includes the client name (Administrator), the host name (TERMIT),
and the first component of the domain name (FOO), and you can also
find four SIDs in there but I haven't been able to figure out what
these SIDs belong to.  It's unclear how you would get out the SIDs of
particular users from the database but it's clear that the SIDs belong
to this domain since the prefix of them are the same as the SIDs that
can be found in the registry.

If anyone can bring some more clarity on the data in the octet string,
that would be very nice.

The programs that I used for extracting these are available.  Just
tell me if you're interested.


More information about the samba-ntdom mailing list