krb5_kdc_verify_ticket - Verify a PAC, possibly including ticket signature.

krb5_error_code krb5_kdc_verify_ticket(krb5_context context, const krb5_enc_tkt_part * enc_tkt, krb5_const_principal server_princ, const krb5_keyblock * server, const krb5_keyblock * privsvr, krb5_pac * pac_out)

[in] context - Library context

[in] enc_tkt - Ticket enc-part, possibly containing a PAC

[in] server_princ - Canonicalized name of ticket server

[in] server - Key to validate server checksum (or NULL)

[in] privsvr - Key to validate KDC checksum (or NULL)

[out] pac_out - Verified PAC (NULL if no PAC included)

  • 0 Success; otherwise - Kerberos error codes

If a PAC is present in enc_tkt , verify its signatures. If privsvr is not NULL and server_princ is not a krbtgt or kadmin/changepw service, require a ticket signature over enc_tkt in addition to the KDC signature. Place the verified PAC in pac_out . If an invalid PAC signature is found, return an error matching the Windows KDC protocol code for that condition as closely as possible.

If no PAC is present in enc_tkt , set pac_out to NULL and return successfully.


This function does not validate the PAC_CLIENT_INFO buffer. If a specific value is expected, the caller can make a separate call to krb5_pac_verify_ext() with a principal but no keys.


New in 1.20