Next: , Previous: Encryption types, Up: Windows compatibility

8.5 Authorisation data

The Windows 2000 KDC also adds extra authorisation data in tickets. It is at this point unclear what triggers it to do this. The format of this data is only available under a “secret” license from Microsoft, which prohibits you implementing it.

A simple way of getting hold of the data to be able to understand it better is described here.

  1. Find the client example on using the SSPI in the SDK documentation.
  2. Change “AuthSamp” in the source code to lowercase.
  3. Build the program.
  4. Add the “authsamp” principal with a known password to the database. Make sure it has a DES key.
  5. Run ktutil add to add the key for that principal to a keytab.
  6. Run appl/test/nt_gss_server -p 2000 -s authsamp --dump-auth=file where file is an appropriate file.
  7. It should authenticate and dump for you the authorisation data in the file.
  8. The tool lib/asn1/asn1_print is somewhat useful for analysing the data.