2.4 PAC_INFO_BUFFER

Following the PACTYPE (section 2.3) structure is an array of PAC_INFO_BUFFER structures each of which defines the type and byte offset to a buffer of the PAC. The PAC_INFO_BUFFER array has no defined ordering. Therefore, the order of the PAC_INFO_BUFFER buffers has no significance. However, once the Key Distribution Center (KDC) and server signatures are generated, the ordering of the buffers MUST NOT change, or signature verification of the PAC contents will fail.

The PAC_INFO_BUFFER structure is defined as follows.

 typedef struct _PAC_INFO_BUFFER {
     ULONG ulType;
     ULONG cbBufferSize;
     ULONG64 Offset;
 } PAC_INFO_BUFFER, *PPAC_INFO_BUFFER;

The format of the PAC_INFO_BUFFER structure is defined as follows.


0


1


2


3


4


5


6


7


8


9

1
0


1


2


3


4


5


6


7


8


9

2
0


1


2


3


4


5


6


7


8


9

3
0


1

ulType

cbBufferSize

Offset

...

ulType (4 bytes): A 32-bit unsigned integer in little-endian format that describes the type of data present in the buffer contained at Offset. Types that are not understood MUST be ignored.

Value

Meaning

0x00000001
(1)

Logon information (section 2.5). PAC structures MUST contain one buffer of this type. Additional logon information buffers MUST be ignored.

0x00000002
(2)

Credentials information (section 2.6). PAC structures SHOULD NOT contain more than one buffer of this type, based on constraints specified in section 2.6. Second or subsequent credentials information buffers MUST be ignored on receipt.

0x00000006
(6)

Server checksum (section 2.8). PAC structures MUST contain one buffer of this type for Kerberos ticket-granting service (TGS) requests or Kerberos application protocol (AP) requests, and none otherwise. Additional logon server checksum buffers MUST be ignored.

0x00000007
(7)

KDC (privilege server) checksum (section 2.8). PAC structures MUST contain one buffer of this type for Kerberos ticket-granting service (TGS) requests or Kerberos application protocol (AP) requests, and none otherwise. Additional KDC checksum buffers MUST be ignored.

0x0000000A
(10)

Client name and ticket information (section 2.7). PAC structures MUST contain one buffer of this type. Additional client and ticket information buffers MUST be ignored.

0x0000000B
(11)

Constrained delegation information (section 2.9). PAC structures MUST contain one buffer of this type for Service for User to Proxy (S4U2proxy) [MS-SFU] requests and none otherwise. Additional constrained delegation information buffers MUST be ignored.

0x0000000C

(12)

User principal name (UPN) and Domain Name System (DNS) information (section 2.10). PAC structures SHOULD NOT<3> contain more than one buffer of this type. Second or subsequent UPN and DNS information buffers MUST be ignored on receipt.

0x0000000D
(13)

Client claims information (section 2.11). PAC structures SHOULD NOT<4> contain more than one buffer of this type. Additional client claims information buffers MUST be ignored.

0x0000000E
(14)

Device information (section 2.12). PAC structures SHOULD NOT<5> contain more than one buffer of this type. Additional device information buffers MUST be ignored.

0x0000000F
(15)

Device claims information (section 2.13). PAC structures SHOULD NOT<6> contain more than one buffer of this type. Additional device claims information buffers MUST be ignored.

0x00000010
(16)

Ticket checksum (section 2.8). PAC structures MUST contain one buffer of this type for Kerberos ticket-granting service (TGS) requests, and none otherwise. Additional ticket checksum buffers MUST be ignored.<7>

0x00000011
(17)

PAC Attributes indicates that the buffer contains attribute bits for the PAC (section 2.14). PAC structures SHOULD NOT contain more than one buffer of this type. Additional attribute buffers MUST be ignored.<8>

0x00000012
(18)

PAC Requestor SID indicates that the buffer contains the SID of principal that requested the PAC (section 2.15). PAC structures MUST contain one buffer of this type.<9>

0x00000013
(19)

Extended KDC (privilege server) checksum (section 2.8). PAC structures MUST contain one buffer of this type for Kerberos ticket-granting service (TGS) requests, and none otherwise. Additional Extended KDC checksum buffers MUST be ignored.<10>

0x00000014
(20)

PAC Requestor GUID indicates that the buffer contains the GUID of the principal that requested the PAC (section 2.16).

cbBufferSize (4 bytes): A 32-bit unsigned integer in little-endian format that contains the size, in bytes, of the buffer in the PAC located at Offset.

Offset (8 bytes): A 64-bit unsigned integer in little-endian format that contains the offset to the beginning of the buffer, in bytes, from the beginning of the PACTYPE structure (section 2.3). The data offset MUST be a multiple of eight. The following sections specify the format of each type of element.