krb5_mk_ncred - Format a KRB-CRED message for an array of credentials.

krb5_error_code krb5_mk_ncred(krb5_context context, krb5_auth_context auth_context, krb5_creds ** creds, krb5_data ** der_out, krb5_replay_data * rdata_out)

[in] context - Library context

[in] auth_context - Authentication context

[in] creds - Null-terminated array of credentials

[out] der_out - Encoded credentials

[out] rdata_out - Replay cache information (NULL if not needed)

  • 0 Success
  • ENOMEM Insufficient memory
  • KRB5_RC_REQUIRED Message replay detection requires rcache parameter
  • Kerberos error codes

This function takes an array of credentials creds and formats a KRB-CRED message der_out to pass to krb5_rd_cred() .

The local and remote addresses in auth_context are optional; if either is specified, they are used to form the sender and receiver addresses in the KRB-CRED message.

If the KRB5_AUTH_CONTEXT_DO_TIME flag is set in auth_context , an entry for the message is entered in an in-memory replay cache to detect if the message is reflected by an attacker. If KRB5_AUTH_CONTEXT_DO_TIME is not set, no replay cache is used. If KRB5_AUTH_CONTEXT_RET_TIME is set in auth_context , the timestamp used for the KRB-CRED message is stored in rdata_out .

If either KRB5_AUTH_CONTEXT_DO_SEQUENCE or KRB5_AUTH_CONTEXT_RET_SEQUENCE is set, the auth_context local sequence number is included in the KRB-CRED message and then incremented. If KRB5_AUTH_CONTEXT_RET_SEQUENCE is set, the sequence number used is stored in rdata_out .

Use krb5_free_data_contents() to free der_out when it is no longer needed.

The message will be encrypted using the send subkey of auth_context if it is present, or the session key otherwise. If neither key is present, the credentials will not be encrypted, and the message should only be sent over a secure channel. No replay cache entry is used in this case.


The rdata_out argument is required if the KRB5_AUTH_CONTEXT_RET_TIME or KRB5_AUTH_CONTEXT_RET_SEQUENCE flag is set in auth_context .