7.5. Protocol Constants and Associated Values
7.5. Protocol Constants and Associated Values
The following tables list constants used in the protocol and define their meanings. In the "specification" section, ranges are specified that limit the values of constants for which values are defined here. This allows implementations to make assumptions about the maximum values that will be received for these constants. Implementations receiving values outside the range specified in the "specification" section MAY reject the request, but they MUST recover cleanly.
7.5.1. Key Usage Numbers
The encryption and checksum specifications in [RFC3961] require as input a "key usage number", to alter the encryption key used in any specific message in order to make certain types of cryptographic attack more difficult. These are the key usage values assigned in this document:
1. AS-REQ PA-ENC-TIMESTAMP padata timestamp, encrypted with
the client key (Section 5.2.7.2)
2. AS-REP Ticket and TGS-REP Ticket (includes TGS session
key or application session key), encrypted with the
service key (Section 5.3)
3. AS-REP encrypted part (includes TGS session key or
application session key), encrypted with the client key
(Section 5.4.2)
4. TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with
the TGS session key (Section 5.4.1)
5. TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with
the TGS authenticator subkey (Section 5.4.1)
6. TGS-REQ PA-TGS-REQ padata AP-REQ Authenticator cksum,
keyed with the TGS session key (Section 5.5.1)
7. TGS-REQ PA-TGS-REQ padata AP-REQ Authenticator (includes
TGS authenticator subkey), encrypted with the TGS session
key (Section 5.5.1)
8. TGS-REP encrypted part (includes application session
key), encrypted with the TGS session key (Section 5.4.2)
9. TGS-REP encrypted part (includes application session
key), encrypted with the TGS authenticator subkey
(Section 5.4.2)
10. AP-REQ Authenticator cksum, keyed with the application
session key (Section 5.5.1)
11. AP-REQ Authenticator (includes application authenticator
subkey), encrypted with the application session key
(Section 5.5.1)
12. AP-REP encrypted part (includes application session
subkey), encrypted with the application session key
(Section 5.5.2)
13. KRB-PRIV encrypted part, encrypted with a key chosen by
the application (Section 5.7.1)
14. KRB-CRED encrypted part, encrypted with a key chosen by
the application (Section 5.8.1)
15. KRB-SAFE cksum, keyed with a key chosen by the
application (Section 5.6.1)
16-18. Reserved for future use in Kerberos and related
protocols.
19. AD-KDC-ISSUED checksum (ad-checksum in 5.2.6.4)
20-21. Reserved for future use in Kerberos and related
protocols.
22-25. Reserved for use in the Kerberos Version 5 GSS-API
mechanisms [RFC4121].
26-511. Reserved for future use in Kerberos and related
protocols.
512-1023. Reserved for uses internal to a Kerberos implementation.
1024. Encryption for application use in protocols that do not
specify key usage values
1025. Checksums for application use in protocols that do not
specify key usage values 1026-2047. Reserved for application use.
7.5.2. PreAuthentication Data Types
Padata and Data Type Padata-type Comment
Value
PA-TGS-REQ 1 PA-ENC-TIMESTAMP 2 PA-PW-SALT 3 [reserved] 4 PA-ENC-UNIX-TIME 5 (deprecated) PA-SANDIA-SECUREID 6 PA-SESAME 7 PA-OSF-DCE 8 PA-CYBERSAFE-SECUREID 9 PA-AFS3-SALT 10 PA-ETYPE-INFO 11 PA-SAM-CHALLENGE 12 (sam/otp) PA-SAM-RESPONSE 13 (sam/otp) PA-PK-AS-REQ_OLD 14 (pkinit) PA-PK-AS-REP_OLD 15 (pkinit) PA-PK-AS-REQ 16 (pkinit) PA-PK-AS-REP 17 (pkinit) PA-ETYPE-INFO2 19 (replaces pa-etype-info) PA-USE-SPECIFIED-KVNO 20 PA-SAM-REDIRECT 21 (sam/otp) PA-GET-FROM-TYPED-DATA 22 (embedded in typed data) TD-PADATA 22 (embeds padata) PA-SAM-ETYPE-INFO 23 (sam/otp) PA-ALT-PRINC 24 ([email protected]) PA-SAM-CHALLENGE2 30 ([email protected]) PA-SAM-RESPONSE2 31 ([email protected]) PA-EXTRA-TGT 41 Reserved extra TGT TD-PKINIT-CMS-CERTIFICATES 101 CertificateSet from CMS TD-KRB-PRINCIPAL 102 PrincipalName TD-KRB-REALM 103 Realm TD-TRUSTED-CERTIFIERS 104 from PKINIT TD-CERTIFICATE-INDEX 105 from PKINIT TD-APP-DEFINED-ERROR 106 application specific TD-REQ-NONCE 107 INTEGER TD-REQ-SEQ 108 INTEGER PA-PAC-REQUEST 128 ([email protected])
7.5.3. Address Types
Address Type Value
IPv4 2 Directional 3 ChaosNet 5 XNS 6 ISO 7 DECNET Phase IV 12 AppleTalk DDP 16 NetBios 20 IPv6 24
7.5.4. Authorization Data Types
Authorization Data Type Ad-type Value
AD-IF-RELEVANT 1 AD-INTENDED-FOR-SERVER 2 AD-INTENDED-FOR-APPLICATION-CLASS 3 AD-KDC-ISSUED 4 AD-AND-OR 5 AD-MANDATORY-TICKET-EXTENSIONS 6 AD-IN-TICKET-EXTENSIONS 7 AD-MANDATORY-FOR-KDC 8 Reserved values 9-63 OSF-DCE 64 SESAME 65 AD-OSF-DCE-PKI-CERTID 66 ([email protected]) AD-WIN2K-PAC 128 ([email protected]) AD-ETYPE-NEGOTIATION 129 ([email protected])
7.5.5. Transited Encoding Types
Transited Encoding Type Tr-type Value
DOMAIN-X500-COMPRESS 1 Reserved values All others
7.5.6. Protocol Version Number
Label Value Meaning or MIT Code
pvno 5 Current Kerberos protocol version number
7.5.7. Kerberos Message Types
Message Type Value Meaning
KRB_AS_REQ 10 Request for initial authentication KRB_AS_REP 11 Response to KRB_AS_REQ request KRB_TGS_REQ 12 Request for authentication based on TGT KRB_TGS_REP 13 Response to KRB_TGS_REQ request KRB_AP_REQ 14 Application request to server KRB_AP_REP 15 Response to KRB_AP_REQ_MUTUAL KRB_RESERVED16 16 Reserved for user-to-user krb_tgt_request KRB_RESERVED17 17 Reserved for user-to-user krb_tgt_reply KRB_SAFE 20 Safe (checksummed) application message KRB_PRIV 21 Private (encrypted) application message KRB_CRED 22 Private (encrypted) message to forward
credentials KRB_ERROR 30 Error response
7.5.8. Name Types
Name Type Value Meaning
KRB_NT_UNKNOWN 0 Name type not known KRB_NT_PRINCIPAL 1 Just the name of the principal as in DCE,
or for users KRB_NT_SRV_INST 2 Service and other unique instance (krbtgt) KRB_NT_SRV_HST 3 Service with host name as instance
(telnet, rcommands) KRB_NT_SRV_XHST 4 Service with host as remaining components KRB_NT_UID 5 Unique ID KRB_NT_X500_PRINCIPAL 6 Encoded X.509 Distinguished name [RFC2253] KRB_NT_SMTP_NAME 7 Name in form of SMTP email name
(e.g., [email protected]) KRB_NT_ENTERPRISE 10 Enterprise name; may be mapped to
principal name
7.5.9. Error Codes
Error Code Value Meaning
KDC_ERR_NONE 0 No error KDC_ERR_NAME_EXP 1 Client's entry in database
has expired KDC_ERR_SERVICE_EXP 2 Server's entry in database
has expired KDC_ERR_BAD_PVNO 3 Requested protocol version
number not supported
KDC_ERR_C_OLD_MAST_KVNO 4 Client's key encrypted in
old master key KDC_ERR_S_OLD_MAST_KVNO 5 Server's key encrypted in
old master key KDC_ERR_C_PRINCIPAL_UNKNOWN 6 Client not found in
Kerberos database KDC_ERR_S_PRINCIPAL_UNKNOWN 7 Server not found in
Kerberos database KDC_ERR_PRINCIPAL_NOT_UNIQUE 8 Multiple principal entries
in database KDC_ERR_NULL_KEY 9 The client or server has a
null key KDC_ERR_CANNOT_POSTDATE 10 Ticket not eligible for
postdating KDC_ERR_NEVER_VALID 11 Requested starttime is
later than end time KDC_ERR_POLICY 12 KDC policy rejects request KDC_ERR_BADOPTION 13 KDC cannot accommodate
requested option KDC_ERR_ETYPE_NOSUPP 14 KDC has no support for
encryption type KDC_ERR_SUMTYPE_NOSUPP 15 KDC has no support for
checksum type KDC_ERR_PADATA_TYPE_NOSUPP 16 KDC has no support for
padata type KDC_ERR_TRTYPE_NOSUPP 17 KDC has no support for
transited type KDC_ERR_CLIENT_REVOKED 18 Clients credentials have
been revoked KDC_ERR_SERVICE_REVOKED 19 Credentials for server have
been revoked KDC_ERR_TGT_REVOKED 20 TGT has been revoked KDC_ERR_CLIENT_NOTYET 21 Client not yet valid; try
again later KDC_ERR_SERVICE_NOTYET 22 Server not yet valid; try
again later KDC_ERR_KEY_EXPIRED 23 Password has expired;
change password to reset KDC_ERR_PREAUTH_FAILED 24 Pre-authentication
information was invalid KDC_ERR_PREAUTH_REQUIRED 25 Additional pre-
authentication required KDC_ERR_SERVER_NOMATCH 26 Requested server and ticket
don't match KDC_ERR_MUST_USE_USER2USER 27 Server principal valid for
user2user only KDC_ERR_PATH_NOT_ACCEPTED 28 KDC Policy rejects
transited path
KDC_ERR_SVC_UNAVAILABLE 29 A service is not available KRB_AP_ERR_BAD_INTEGRITY 31 Integrity check on
decrypted field failed KRB_AP_ERR_TKT_EXPIRED 32 Ticket expired KRB_AP_ERR_TKT_NYV 33 Ticket not yet valid KRB_AP_ERR_REPEAT 34 Request is a replay KRB_AP_ERR_NOT_US 35 The ticket isn't for us KRB_AP_ERR_BADMATCH 36 Ticket and authenticator
don't match KRB_AP_ERR_SKEW 37 Clock skew too great KRB_AP_ERR_BADADDR 38 Incorrect net address KRB_AP_ERR_BADVERSION 39 Protocol version mismatch KRB_AP_ERR_MSG_TYPE 40 Invalid msg type KRB_AP_ERR_MODIFIED 41 Message stream modified KRB_AP_ERR_BADORDER 42 Message out of order KRB_AP_ERR_BADKEYVER 44 Specified version of key is
not available KRB_AP_ERR_NOKEY 45 Service key not available KRB_AP_ERR_MUT_FAIL 46 Mutual authentication
failed KRB_AP_ERR_BADDIRECTION 47 Incorrect message direction KRB_AP_ERR_METHOD 48 Alternative authentication
method required KRB_AP_ERR_BADSEQ 49 Incorrect sequence number
in message KRB_AP_ERR_INAPP_CKSUM 50 Inappropriate type of
checksum in message KRB_AP_PATH_NOT_ACCEPTED 51 Policy rejects transited
path KRB_ERR_RESPONSE_TOO_BIG 52 Response too big for UDP;
retry with TCP KRB_ERR_GENERIC 60 Generic error (description
in e-text) KRB_ERR_FIELD_TOOLONG 61 Field is too long for this
implementation KDC_ERROR_CLIENT_NOT_TRUSTED 62 Reserved for PKINIT KDC_ERROR_KDC_NOT_TRUSTED 63 Reserved for PKINIT KDC_ERROR_INVALID_SIG 64 Reserved for PKINIT KDC_ERR_KEY_TOO_WEAK 65 Reserved for PKINIT KDC_ERR_CERTIFICATE_MISMATCH 66 Reserved for PKINIT KRB_AP_ERR_NO_TGT 67 No TGT available to
validate USER-TO-USER KDC_ERR_WRONG_REALM 68 Reserved for future use KRB_AP_ERR_USER_TO_USER_REQUIRED 69 Ticket must be for
USER-TO-USER KDC_ERR_CANT_VERIFY_CERTIFICATE 70 Reserved for PKINIT KDC_ERR_INVALID_CERTIFICATE 71 Reserved for PKINIT KDC_ERR_REVOKED_CERTIFICATE 72 Reserved for PKINIT
KDC_ERR_REVOCATION_STATUS_UNKNOWN 73 Reserved for PKINIT KDC_ERR_REVOCATION_STATUS_UNAVAILABLE 74 Reserved for PKINIT KDC_ERR_CLIENT_NAME_MISMATCH 75 Reserved for PKINIT KDC_ERR_KDC_NAME_MISMATCH 76 Reserved for PKINIT