Parsing Microsoft PAC-field from KRB_AP_REQ

Sebastian Robertsson sebastian.robertsson at
Tue Jan 4 04:39:32 EST 2005


I'm using Micosoft Server 2003 together with Kerberos, and I'm trying to 
use the authorizationData field in the ticket in order to get the groups 
that the corresponding user is a member of. I understand that this data is 
located in the last field in the enrypted part of the ticket, and that 
this part of the ticket is encrypted with the master key of the KDC and 
the corresponding service. Further, I get the PAC-data which seems correct 
as far as decrypting is concerned (I get readable data when printing a 
string representation of the byte array). However,  I can't get figure out 
how to get the group ID:s from the Microsoft spec:

According to MS, this is the top level 

typedef unsigned long ULONG;
typedef unsigned short USHORT;
typedef unsigned long64 ULONG64;
typedef unsigned char UCHAR;

typedef struct _PACTYPE{
    ULONG cBuffers;
    ULONG Version; 
    PAC_INFO_BUFFER Buffers[1];

and this seems correct according to my data. The next level,

typedef struct _PAC_INFO_BUFFER {
    ULONG ulType;
    ULONG cbBufferSize;
    ULONG64 Offset;

also seems correct according to my data.

But when parsing the next level, the PAC_LOGON_INFO, I can't figure out 
how to find the expected data. 
I know that it is NDR-encoded. I've used a Java-API for this ( and, but 
I still can't find the data I'm looking for. Perhaps I'm missing some 
significant info in how the Microsoft spec and NDR are related. My source 
of NDR-syntax is

Specific questions:
1. The pointer to the string(?) buffer in UNICODE_STRING, is it considered 
as an "Embedded Full pointer" in NDR?
2. The representation of the string data itself, is it consider as a 
"String" in NDR?
3. Is there a simple way to figure out which byte(s) that holds the 
information that I'm looking for (groupIDs)?

However, the data that I want to find is not these strings - they are just 
a way to orientate myself in the structure. The data that I want to read 
is "PrimaryGroupId" and "GroupIds" - but where should I start? 

I've also found this link:

Don't really know what that is, but as far as I can see this is just an 
augmented version of the public MS spec.

Does anyone have experience in this matter?? Any help is appreciated.


Sebastian Robertsson

Sebastian Robertsson
sebastian.robertsson at
070-625 92 45

More information about the krbdev mailing list