The following ASN.1 base definitions are used in the rest of this section. Note that since the underscore character (_) is not permitted in ASN.1 names, the hyphen (-) is used in its place for the purposes of ASN.1 names.
Realm ::= GeneralString
PrincipalName ::= SEQUENCE { name-type[0] INTEGER, name-string[1] SEQUENCE OF GeneralString }
This field specifies the type of name that follows. Pre-defined values for this field are specified in section 7.2. The name-type should be treated as a hint. Ignoring the name type, no two names can be the same (i.e., at least one of the components, or the realm, must be different). This constraint may be eliminated in the future.
This field encodes a sequence of components that form a name, each component encoded as a General String. Taken together, a PrincipalName and a Realm form a principal identifier. Most PrincipalNames will have only a few components (typically one or two).
KerberosTime ::= GeneralizedTime -- Specifying UTC time zone (Z)
HostAddress ::= SEQUENCE { addr-type[0] INTEGER, address[1] OCTET STRING } HostAddresses ::= SEQUENCE OF SEQUENCE { addr-type[0] INTEGER, address[1] OCTET STRING }
This field specifies the type of address that follows. Pre-defined values for this field are specified in section 8.1.
This field encodes a single address of type addr-type.
The two forms differ slightly. HostAddress contains exactly one address; HostAddresses contains a sequence of possibly many addresses.
AuthorizationData ::= SEQUENCE OF SEQUENCE { ad-type[0] INTEGER, ad-data[1] OCTET STRING }
This field contains authorization data to be interpreted according to the value of the corresponding ad-type field.
This field specifies the format for the ad-data subfield. All negative values are reserved for local use. Non-negative values are reserved for registered use.
APOptions ::= BIT STRING { reserved(0), use-session-key(1), mutual-required(2) } TicketFlags ::= BIT STRING { reserved(0), forwardable(1), forwarded(2), proxiable(3), proxy(4), may-postdate(5), postdated(6), invalid(7), renewable(8), initial(9), pre-authent(10), hw-authent(11) } KDCOptions ::= BIT STRING { reserved(0), forwardable(1), forwarded(2), proxiable(3), proxy(4), allow-postdate(5), postdated(6), unused7(7), renewable(8), unused9(9), unused10(10), unused11(11), renewable-ok(27), enc-tkt-in-skey(28), renew(30), validate(31) } LastReq ::= SEQUENCE OF SEQUENCE { lr-type[0] INTEGER, lr-value[1] KerberosTime }
This field indicates how the following lr-value field is to be interpreted. Negative values indicate that the information pertains only to the responding server. Non-negative values pertain to all servers for the realm.
If the lr-type field is zero (0), then no information is conveyed by the lr-value subfield. If the absolute value of the lr-type field is one (1), then the lr-value subfield is the time of last initial request for a TGT. If it is two (2), then the lr-value subfield is the time of last initial request. If it is three (3), then the lr-value subfield is the time of issue for the newest ticket-granting ticket used. If it is four (4), then the lr-value subfield is the time of the last renewal. If it is five (5), then the lr-value subfield is the time of last request (of any type).
This field contains the time of the last request. The time must be interpreted according to the contents of the accompanying lr-type subfield.
See section 6 for the definitions of Checksum, ChecksumType, EncryptedData, EncryptionKey, EncryptionType, and KeyType.