The KRB_AP_REQ message contains the Kerberos protocol version number, the message type KRB_AP_REQ, an options field to indicate any options in use, and the ticket and authenticator themselves. The KRB_AP_REQ message is often referred to as the "authentication header".
AP-REQ ::= [APPLICATION 14] SEQUENCE { pvno[0] INTEGER, msg-type[1] INTEGER, ap-options[2] APOptions, ticket[3] Ticket, authenticator[4] EncryptedData } APOptions ::= BIT STRING { reserved(0), use-session-key(1), mutual-required(2) }
These fields are described above in section 5.4.1. msg-type is KRB_AP_REQ.
This field appears in the application request (KRB_AP_REQ) and affects the way the request is processed. It is a bit-field, where the selected options are indicated by the bit being set (1), and the unselected options and reserved fields being reset (0). The encoding of the bits is specified in section 5.2. The meanings of the options are:
Bit(s) Name Description 0 RESERVED Reserved for future expansion of this field. 1 USE-SESSION-KEYThe USE-SESSION-KEY option indicates that the ticket the client is presenting to a server is encrypted in the session key from the server's ticket-granting ticket. When this option is not specified, the ticket is encrypted in the server's secret key. 2 MUTUAL-REQUIREDThe MUTUAL-REQUIRED option tells the server that the client requires mutual authentication, and that it must respond with a KRB_AP_REP message. 3-31 RESERVED Reserved for future use.
This field is a ticket authenticating the client to the server.
This contains the authenticator, which includes the client's choice of a subkey. Its encoding is described in section 5.3.2.