The KRB_CRED message contains a sequence of tickets to be sent and information needed to use the tickets, including the session key from each. The information needed to use the tickets is encrypted under an encryption key previously exchanged. The message fields are as follows:
The tickets obtained from the Key Distribution Center specifically for use by the intended recipient. Successive tickets are paired with the corresponding KrbCredInfo sequence from the enc-part of the KRB-CRED message.
enc-part
Holds an encoding of the EncKrbCredPart sequence encrypted under the session key shared between the sender and the intended recipient. This encrypted encoding is used for the enc-part field of the KRB-CRED message.
nonce
If practical, an application may require the inclusion of a nonce generated by the recipient of the message. If the same value is included as the nonce in the message, it provides evidence that the message is fresh and has not been replayed by an attacker. A nonce must never be reused.
timestamp and usec
Specifies the time that the KRB-CRED message was generated. The time is used to provide assurance that the message is fresh.
s-address and r-address
Described earlier. Used to provide additional assurance of the integrity of the KRB-CRED message.
key
Exists in the corresponding ticket passed by the KRB-CRED message and is used to pass the session key from the sender to the intended recipient.
The following fields are optional. If present, they can be associated with the credentials in the remote ticket file. If left out, it is assumed that the recipient of the credentials already knows their value.
Field
Description
prealm and pname
The name and realm of the delegated principal identity.
lags, authtime, starttime, endtime, renew-till, srealm, sname, and caddr
Contain the values of the corresponding fields from the ticket found in the ticket field. Descriptions of sname, and caddr. The fields are identical to the descriptions in the KDC-REP message.