RFC 3244 (rfc3244) - Page 3 of 7


Microsoft Windows 2000 Kerberos Change Password and Set Password Protocols



Alternative Format: Original Text Document



RFC 3244      Microsoft Windows 2000 Kerberos Change & Set February 2002


   authenticator from the AP_REQ message (the seq-number in the
   authenticator will be present).  The server ignores the optional
   r-address field in the KRB_PRIV message, if it is present.

   The user-data component of the message consists of the following
   ASN.1 structure encoded as an OCTET STRING:

      ChangePasswdData ::=  SEQUENCE {
                          newpasswd[0]   OCTET STRING,
                          targname[1]    PrincipalName OPTIONAL,
                          targrealm[2]   Realm OPTIONAL
                          }

   The server must verify the AP-REQ message, check whether the client
   principal in the ticket is authorized to set/change the password
   (either for that principal, or for the principal in the targname
   field if present), and decrypt the new password.  The server also
   checks whether the initial flag is required for this request,
   replying with status 0x0007 if it is not set and should be.  An
   authorization failure is cause to respond with status 0x0005.  For
   forward compatibility, the server should be prepared to ignore fields
   after targrealm in the structure that it does not understand.

   The newpasswd field contains the cleartext password, and the server
   will apply any local policy checks including password policy checks.
   The server then generates the appropriate keytypes from the password
   and stores them in the KDC database.  If all goes well, status 0x0000
   is returned to the client in the reply message (see below).

   Reply Message

     0                   1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |         message length        |    protocol version number    |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |          AP_REP length        |         AP-REP data           /
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    /                         KRB-PRIV message                      /
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   All 16 bit fields are in big-endian order.

   message length field: contains the number of bytes in the message
   including this field.






Swift, et al.                Informational