RFC 3244 (rfc3244) - Page 2 of 7


Microsoft Windows 2000 Kerberos Change Password and Set Password Protocols



Alternative Format: Original Text Document



RFC 3244      Microsoft Windows 2000 Kerberos Change & Set February 2002


2.  The Protocol

   The service accepts requests on UDP port 464 and TCP port 464 as
   well.  The protocol consists of a single request message followed by
   a single reply message.  For UDP transport, each message must be
   fully contained in a single UDP packet.

   For TCP transport, there is a 4 octet header in network byte order
   that precedes the message and specifies the length of the message.

   Request Message

     0                   1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |         message length        |    protocol version number    |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |          AP_REQ length        |         AP_REQ data           /
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    /                        KRB-PRIV message                       /
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   All 16 bit fields are in big-endian order.

   message length field: contains the number of bytes in the message
   including this field.

   protocol version number: contains the hex constant 0xff80 (big-endian
   integer).

   AP-REQ length: length of AP-REQ data, in bytes.  If the length is
   zero, then the last field contains a KRB-ERROR message instead of a
   KRB-PRIV message.

   AP-REQ data: (see [1]) The AP-REQ message must be for the service
   principal kadmin/changepw@REALM, where REALM is the REALM of the user
   who wishes to change/set his password.  The authenticator in the AP-
   REQ must include a subsession key.  (NOTE: The subsession key must be
   pseudo-randomly generated and must never be reused for multiple
   authenticators.)  To enable setting of passwords, it is not required
   that the initial flag be set in the Kerberos service ticket.

   KRB-PRIV message (see [1]) This user-data field in the KRB-PRIV
   message is encrypted using the subkey from the authenticator in the
   AP-REQ data.  The usec and seq-number fields of the KRB_PRIV message
   are present and have the same value as the seq-number field in the





Swift, et al.                Informational