KeyExpirationTime of KERB_EXTERNAL_TICKET missing on Windows XP 64 bit

Max (Weijun) Wang Weijun.Wang at sun.com
Tue Dec 1 07:32:08 EST 2009 

Hi All

I have a 32-bit program calling  
LsaCallAuthenticationPackage(KerbRetrieveTicketMessage). It works fine  
on Win XP 32 bit but fails on Win XP 64 bit.

So I get a piece of KERB_EXTERNAL_TICKET struct, and its definition is  
shown on MSDN [1] as:

typedef struct _KERB_EXTERNAL_TICKET {   width offset
   PKERB_EXTERNAL_NAME ServiceName;           4 0
   PKERB_EXTERNAL_NAME TargetName;            4 4
   PKERB_EXTERNAL_NAME ClientName;            4 8
   UNICODE_STRING      DomainName;            8 C
   UNICODE_STRING      TargetDomainName;      8 14
   UNICODE_STRING      AltTargetDomainName;   8 1C
   KERB_CRYPTO_KEY     SessionKey;            C 24
   ULONG               TicketFlags;           4 30
   ULONG               Flags;                 4 34
   LARGE_INTEGER       KeyExpirationTime;     8 38
   LARGE_INTEGER       StartTime;             8 40
   LARGE_INTEGER       EndTime;               8 48
   LARGE_INTEGER       RenewUntil;            8 50
   LARGE_INTEGER       TimeSkew;              8 58
   ULONG               EncodedTicketSize;     4 60
   PUCHAR              EncodedTicket;         4 64
}KERB_EXTERNAL_TICKET, *PKERB_EXTERNAL_TICKET;

Here the KeyExpirationTime should start at offset 0x38 after the Flags  
field, which includes 4 zero.

On Windows XP 32 bit it's very fine.

68 00 F8 0A A4 00 F8 0A CC 00 F8 0A 1A 00 1A 00
E4 00 F8 0A 1A 00 1A 00 FE 00 F8 0A 06 00 06 00
18 01 F8 0A 17 00 00 00 10 00 00 00 1E 01 F8 0A
00 00 E0 40 00 00 00 00 00 00 00 00 00 00 00 00
             ^ Flags     ^ KeyExpirationTime
00 EB 2B E1 37 72 CA 01 00 FB D7 B2 8B 72 CA 01
00 2B 10 0A B8 77 CA 01 00 00 00 00 00 00 00 00
FB 03 00 00 2E 01 F8 0A
^ EncodedTicketSize

On Windows XP 64 bit, it seems right after Flags there come StartTime,  
EndTime, and RenewUntil, so those 8 bytes for KeyExpirationTime are  
lost. In fact, the EncodedTicketSize field appears earlier.

60 00 44 0C 9C 00 44 0C C4 00 44 0C 1A 00 1A 00
DC 00 44 0C 1A 00 1A 00 F6 00 44 0C 1A 00 1A 00
10 01 44 0C 17 00 00 00 10 00 00 00 2A 01 44 0C
00 00 E0 40 00 00 00 00 00 60 68 41 2B 72 CA 01
             ^ Flags     ^ ???
00 70 14 13 7F 72 CA 01 00 A0 4C 6A AB 77 CA 01
00 00 00 00 00 00 00 00 FB 03 00 00 3A 01 44 0C
                         ^ EncodedTicketSize
02 00 02 00 0C 00 0C 00

Is this a known issue? Or I should not run this 32 bit program on a 64  
bit system at all?

My Win XP 64 is "Version 2003 Service Pack 2". The server side is  
Windows 2008 R2 64 bit. Both run as guests in VirtualBox.

Thanks
Max

[1] http://msdn.microsoft.com/en-us/library/aa378073(VS.85).aspx

More information about the krbdev mailing list