none
kerberos authorization_data in TGS_REQ RRS feed

  • Question

  • Hello,
    While doing a TGS-REQ microsoft RDP client sends AuthorizationData (encrypted) to server.


    AuthorizationData       ::= SEQUENCE OF SEQUENCE {
            ad-type         [0] Int32,
            ad-data         [1] OCTET STRING
    }

    the full AuthorizationData is

    30 4E 30 4C A0 03 02 01 01 A1 45 04 43 30 41 30 3F A0 04 02 02 00 8D A1 37 04 35 30 33 30 31 A0 03 02 01 00 A1 2A 04 28 00 00 00 00 00 30 00 00 BE 6A E8 36 2D 6F C4 8E D4 22 08 AC 6F 0F 5A 92 89 EE 46 3D E4 65 90 39 2C 0E 12 A7 50 A7 CB A9

    ad-type =0x1

    ad-data =

    04 43 30 41 30 3F A0 04 02 02 00 8D A1 37 04 35 30 33 30 31 A0 03 02 01 00 A1 2A 04 28 00 00 00 00 00 30 00 00 BE 6A E8 36 2D 6F C4 8E D4 22 08 AC 6F 0F 5A 92 89 EE 46 3D E4 65 90 39 2C 0E 12 A7 50 A7 CB A9

    this is AD-IF-RELEVANT  data type which is again an AuthorizationData which has ad-type = 141

    there is no information about the ad-type 141 both in rfc4120 and MSKYLE.

    Can you please let me know about the details of this AuthorizationData ?
    Monday, January 23, 2012 8:34 AM

Answers

  • Hi

    The ad-type 141 is an MS-KILE extension as described in section “3.1.5.5   Other Elements and Options”.

     

    It is called KERB_AUTH_DATA_TOKEN_RESTRICTIONS. Sections 3.2.5.7 and 3.4.5.3 have more details about this authorization data type. I would recommend reading MS-KILE in its entirety to have the proper context for the sections I mentioned above.

     

    Please let me know if this does not answer your question.


    Regards, Obaid Farooqi
    Tuesday, January 24, 2012 8:28 PM
    Owner

All replies

  • Hi ohai19,

    Thank you for your question.  A colleague will follow up with you to work on this issue.

    Regards,
    Mark Miller
    Escalation Engineer
    US-CSS DSC PROTOCOL TEAM

    Monday, January 23, 2012 2:46 PM
  • Hi Ohai19:

    I'll help you with this issue and will be in touch as soon as I have an answer.


    Regards, Obaid Farooqi
    Monday, January 23, 2012 8:24 PM
    Owner
  • Hi

    The ad-type 141 is an MS-KILE extension as described in section “3.1.5.5   Other Elements and Options”.

     

    It is called KERB_AUTH_DATA_TOKEN_RESTRICTIONS. Sections 3.2.5.7 and 3.4.5.3 have more details about this authorization data type. I would recommend reading MS-KILE in its entirety to have the proper context for the sections I mentioned above.

     

    Please let me know if this does not answer your question.


    Regards, Obaid Farooqi
    Tuesday, January 24, 2012 8:28 PM
    Owner