Kerberos Ticket Authorization Context Variables

The following table describes Kerberos Ticket Authorization variables. 
gateway
The following table describes Kerberos Ticket Authorization variables. 
Variable
Description
${kerberos.data.authorizations}
Returns a list of authorization data stored in the ticket. Can be accessed using index; for example:
${kerberos.data.authorizations.0.pac.logoninfo.user.name}
.
Logon Information Attributes
${kerberos.data.authorizations.
<
index
>
.pac.logoninfo.logontime}
Returns the user log on time since Jan 1, 1970, in milliseconds.
${kerberos.data.authorizations.
<
index
>
.pac.logoninfo.logofftime}
Returns the time since Jan 1, 1970 at which the client’s log on session should expire, in milliseconds.
${kerberos.data.authorizations.
<
index
>
.pac.logoninfo.kickofftime}
Returns the time since Jan 1, 1970 at which the server should forcibly log off the client, in milliseconds. If the client should not be forced off, this variable returns null.
${kerberos.data.authorizations.
<
index
>
.pac.logoninfo.pwdlastchangetime}
Returns the time since Jan 1, 1970 at which the client’s password was last set, in milliseconds. If password was never set, this variable returns null.
${kerberos.data.authorizations.
<
index
>
.pac.logoninfo.pwdcanchangetime}
Returns the time since Jan 1, 1970 at which the client’s password is allowed to change, in milliseconds. If there is no restriction on when the client may change its password, this variable is set to the time of the logon.
${kerberos.data.authorizations.
<
index
>
.pac.logoninfo.
pwdmustchangetime}
Returns the time since Jan 1, 1970 at which the client’s password expires, in milliseconds. If the password does not expire, this variable returns null
${kerberos.data.authorizations.
<
index
>
.pac.logoninfo.user.displayname}
Returns the friendly name of the client if this has been defined in the Active Directory. This name is used only for display purpose and not security purposes.
${kerberos.data.authorizations.
<
index
>
.pac.logoninfo.user.name}
Returns the client’s Windows 2000 UserName in the SamAccountName property, if this has been defined in the Active Directory.
${kerberos.data.authorizations
.<i
ndex
>
.pac.logoninfo.logonscript}
Returns the path to the client’s log on script, if this has been defined in the Active Directory.
${kerberos.data.authorizations.
<
index
>
.pac.logoninfo.profilepath}
Returns the path to the client’s profile, if this has been defined in the Active Directory.
${kerberos.data.authorizations.
<i
ndex
>
.pac.logoninfo.homedir}
Returns the path to the client’s home directory, if this has been defined in the Active Directory. This may be either a local path name or a UNC path name.
${kerberos.data.authorizations.
<
index
>
.pac.logoninfo.homedrive}
If the client’s home directory is a UNC path name, this variable returns the share on the remote file server that is mapped to the local drive letter specified in this variable. This variable returns a value only if it has been defined in the Active Directory.
${kerberos.data.authorizations.
<
index
>
.pac.logoninfo.logoncount}
Returns the count of how many times the client is currently logged on.
This statistic is not accurately maintained by Windows 2000 and may not be reliable.
${kerberos.data.authorizations.
<i
ndex
>
.pac.logoninfo.badpasswordcount}
Returns the number of logon or password change attempts with bad passwords, since the last successful attempt.
${kerberos.data.authorizations.
<
index
>
.pac.logoninfo.userid}
Returns the relative ID for the client.
${kerberos.data.authorizations
.<
index
>
.pac.logoninfo.groupid}
Returns the relative ID for this client’s primary group.
${kerberos.data.authorizations.
<
index
>
.pac.logoninfo.groupcount}
Returns the number of groups, within the client’s domain, of which the client is a member.
${kerberos.data.authorizations
.<
index
>.
pac.logoninfo.groupids}
Returns an array of the relative IDs and attributes of the groups in the client’s domain of which the client is a member.
${kerberos.data.authorizations.
<
index
>
.pac.logoninfo.user.flags}
Returns information about which fields in this structure are valid. The two bits that may be set are indicated below. Having these flags set indicates that the corresponding fields in the KERB_VALIDATION_INFO structure are present and valid.
define LOGON_EXTRA_SIDS 0x0020
define LOGON_RESOURCE_GROUPS 0x0200
${kerberos.data.authorizations.
<
index
>
.pac.logoninfo.servername}
Returns the NETBIOS name of the KDC which performed the AS ticket request.
${kerberos.data.authorizations
.<index>
.pac.logoninfo.domain}
Returns the NETBIOS name of the client’s domain.
${kerberos.data.authorizations.
<
index
>
.pac.logoninfo.user.accountcontrol}
Returns a bitfield of information about the client’s account. The value may be any of the following:
USER_ACCOUNT_DISABLED (0x00000001)
USER_HOME_DIRECTORY_REQUIRED (0x00000002)
USER_PASSWORD_NOT_REQUIRED (0x00000004)
USER_TEMP_DUPLICATE_ACCOUNT (0x00000008)
USER_NORMAL_ACCOUNT (0x00000010)
USER_MNS_LOGON_ACCOUNT (0x00000020)
USER_INTERDOMAIN_TRUST_ACCOUNT (0x00000040)
USER_WORKSTATION_TRUST_ACCOUNT (0x00000080)
USER_SERVER_TRUST_ACCOUNT (0x00000100)
USER_DONT_EXPIRE_PASSWORD (0x00000200)
USER_ACCOUNT_AUTO_LOCKED (0x00000400)
USER_ENCRYPTED_TEXT_PASSWORD_ALLOWED (0x00000800)
USER_SMARTCARD_REQUIRED (0x00001000)
USER_TRUSTED_FOR_DELEGATION (0x00002000)
USER_NOT_DELEGATED (0x00004000)
USER_USE_DES_KEY_ONLY (0x00008000)
USER_DONT_REQUIRE_PREAUTH (0x00010000)
${kerberos.data.authorizations.
<
index
>
.pac.logoninfo.extrasids}
Returns list of SIDs for groups to which the user is a member. This variable returns a value only if the LOGON_EXTRA_SIDS flag has been set in the UserFlags field in the Active Directory.
${kerberos.data.authorizations.
<
index
>
.pac.logoninfo.resourcesids}
Returns an array of the relative IDs and attributes of the groups in the resource domain of which the resource is a member.
Signature Attributes
${kerberos.data.authorizations.
<
index
>
.pac.kdc.signature.checksum}
Returns an array of bytes containing the checksum data. The value is Base64 encoded.
${kerberos.data.authorizations.
<
index
>
.pac.kdc.signature.type}
Returns the type of checksum used to create a signature. The checksum will be a keyed checksum.
${kerberos.data.authorizations.<
index
>
.pac.server.signature.checksum}
Returns an array of bytes containing the checksum data. The value is Base64 encoded.
Relevant Attributes
${kerberos.data.authorizations.
<
index
>
.relevant.<pac authorizations>}
Returns the relevant portion containing the authorizations, in a form of PAC authorization data that may include logoninfo or signatures as well. For example:
{kerberos.data.authorizations.1.relevant.
authorizations.0.pac.logoninfo.user.name} 
- contains PAC logoninfo user name attribute