KDC Options and the missing Bit Mask

Hey Folks!

So, a question came up recently about the Ticket Options in security events 4768 & 4769.  An example of one, below:

So just what are these "Ticket Options?

Well as it turns out, they are the options defined in the ticket by the KDC.  Seems pretty straightforward doesn't it?  Well.  While those options are defined in the RFC itself and in Microsoft’s own documentation of Kerberos, the translation of the RFC list and the Bit Mask that we use in Windows is missing.

For example, we see in the above example that the Ticket Options are 0x4081000.  But, what does this mean?  Which options do we have for this ticket?  Looking at RFC 1510 (Page 40-41) and our own article How the Kerberos Version 5 Authentication Protocol  Works (Key Distribution Center Option Flags Section) we have the Flag Bits for each of the options.  Unfortunately, most of us can't translate Flag Bits into Bit Masks in our heads.  And that translation is missing from our docs.

So, working with a couple of my colleagues, Wayne McIntyre and Seth Moore (who are a couple of wizards that actually CAN translate this stuff in their head), we came up with a nice easy to read table that hopefully will help if you are trying to figure out what 0x4081000 or, something like 0x608100 actually means. (Forwardable, Forwarded, Renewable and Name Canonicalize, just FYI.  For an explanation of each of these, see the aforementioned TechNet Article "How the Kerberos Version 5 Authentication Protocol Works")