format of authorization data in a win2k ticket

Assar Westerlund assar at
Thu Sep 23 01:45:48 GMT 1999

Matt Chapman <matty at> writes:

Hi Matt.

> Very nice... here's my preliminary decode of this. The body is a
> USER_INFO_3 structure (or similar); there are some undecoded bytes
> before it and what seems to be a Kerberos implementation related structure
> after it.


> 00002ea: 0000 0000 76ff ffff // unknown
> 00002f2: 3c7f f138 ae11 cdb0 // uint8 crypt1[16]; // ??
> 00002fa: 9153 4b17 da8a 5593
> 0000302: 0000 0000 76ff ffff // unknown
> 000030a: a886 4dbc daf8 15fe // uint8 crypt2[16]; // ??
> 0000312: 8250 9229 6a09 e654
> 000031a: 0000 0000           // unknown

I would guess that the crypt1 and crypt2 are some kind of signatures
here?  According to what I read from the documentation, the contents
is supposed to be signed.  Once we can figure out the signing algorithm
for this (which might be hard), we can add code to start generating
this extra data and see how the clients react to it.


More information about the samba-ntdom mailing list