> For the complete documentation index, see [llms.txt](https://www.impacket.wiki/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://www.impacket.wiki/reference/library-api/kerberos/asn1.md).

# Kerberos ASN.1

> Complete reference for Kerberos ASN.1 message structures, tickets, principals, and protocol data types

## Overview

The `impacket.krb5.asn1` module implements all ASN.1 (Abstract Syntax Notation One) structures defined in RFC 4120 and Microsoft extensions from \[MS-KILE]. These structures represent Kerberos protocol messages, tickets, and data types encoded using Distinguished Encoding Rules (DER).

## Module Location

```python
from impacket.krb5.asn1 import (
    AS_REQ, AS_REP, TGS_REQ, TGS_REP,
    AP_REQ, AP_REP, KRB_ERROR,
    Ticket, EncryptedData, PrincipalName,
    EncASRepPart, EncTGSRepPart
)
```

**Source**: `impacket/krb5/asn1.py`

## Basic Data Types

### Primitive Types

#### Int32

32-bit signed integer used throughout Kerberos messages.

```python
class Int32(univ.Integer):
    subtypeSpec = constraint.ValueRangeConstraint(-2147483648, 2147483647)
```

**Range**: -2,147,483,648 to 2,147,483,647

#### UInt32

32-bit unsigned integer for nonces and sequence numbers.

```python
class UInt32(univ.Integer):
    pass  # 0 to 4,294,967,295
```

#### Microseconds

Microsecond values for timestamps.

```python
class Microseconds(univ.Integer):
    subtypeSpec = constraint.ValueRangeConstraint(0, 999999)
```

**Range**: 0 to 999,999

#### KerberosString

UTF-8 encoded general string.

```python
class KerberosString(char.GeneralString):
    encoding = 'utf-8'

# Usage
krb_string = KerberosString('username')
```

#### Realm

Kerberos realm name (domain).

```python
class Realm(KerberosString):
    pass

# Example
realm = Realm('DOMAIN.LOCAL')
```

#### KerberosTime

Generalized time format: YYYYMMDDHHMMSSz

```python
class KerberosTime(useful.GeneralizedTime):
    pass

# Format: "20240315120000Z"
```

### KerberosFlags

Bit string for flags (32 bits minimum).

```python
class KerberosFlags(univ.BitString):
    pass

# Usage with helper function
from impacket.krb5.asn1 import seq_set_flags
from impacket.krb5.constants import TicketFlags

flags = TicketFlags()
flags.forwardable = True
flags.renewable = True
seq_set_flags(ticket, 'flags', flags)
```

## Principal Names

### PrincipalName

Represents a Kerberos principal identity.

```python
class PrincipalName(univ.Sequence):
    componentType = namedtype.NamedTypes(
        _sequence_component("name-type", 0, Int32()),
        _sequence_component("name-string", 1,
                          univ.SequenceOf(componentType=KerberosString()))
    )
```

**Fields**:

* `name-type`: Principal type (NT\_PRINCIPAL, NT\_SRV\_INST, etc.)
* `name-string`: Sequence of name components

**Example**:

```python
from impacket.krb5.asn1 import PrincipalName, seq_set
from impacket.krb5 import constants

# Create principal
principal = PrincipalName()
principal.setComponentByName('name-type',
                             constants.PrincipalNameType.NT_PRINCIPAL.value)

# Set name components
name_string = principal.setComponentByName('name-string').getComponentByName('name-string')
name_string.setComponentByPosition(0, 'john')
name_string.setComponentByPosition(1, 'admin')  # Optional instance

# Result: john/admin
```

**Common Name Types**:

* `NT_PRINCIPAL = 1`: User principal (user\@REALM)
* `NT_SRV_INST = 2`: Service with instance (krbtgt/REALM)
* `NT_SRV_HST = 3`: Service with host (host/server.domain)
* `NT_ENTERPRISE = 10`: UPN format

## Encryption Structures

### EncryptionKey

Cryptographic key with type identifier.

```python
class EncryptionKey(univ.Sequence):
    componentType = namedtype.NamedTypes(
        _sequence_component('keytype', 0, Int32()),
        _sequence_component('keyvalue', 1, univ.OctetString())
    )
```

**Fields**:

* `keytype`: Encryption algorithm identifier
* `keyvalue`: Raw key bytes

**Example**:

```python
from binascii import unhexlify

key = EncryptionKey()
key.setComponentByName('keytype', 18)  # AES256
key.setComponentByName('keyvalue', unhexlify('a1b2c3...'))
```

**Key Types**:

* `1`: DES-CBC-CRC
* `3`: DES-CBC-MD5
* `16`: DES3-CBC-SHA1
* `17`: AES128-CTS-HMAC-SHA1-96
* `18`: AES256-CTS-HMAC-SHA1-96
* `23`: RC4-HMAC

### EncryptedData

Encrypted data with algorithm and optional version.

```python
class EncryptedData(univ.Sequence):
    componentType = namedtype.NamedTypes(
        _sequence_component("etype", 0, Int32()),
        _sequence_optional_component("kvno", 1, UInt32()),
        _sequence_component("cipher", 2, univ.OctetString())
    )
```

**Fields**:

* `etype`: Encryption type
* `kvno`: Key version number (optional)
* `cipher`: Encrypted ciphertext

**Example**:

```python
enc_data = EncryptedData()
enc_data.setComponentByName('etype', 18)  # AES256
enc_data.setComponentByName('kvno', 3)
enc_data.setComponentByName('cipher', ciphertext_bytes)
```

### Checksum

Integrity checksum for messages.

```python
class Checksum(univ.Sequence):
    componentType = namedtype.NamedTypes(
        _sequence_component('cksumtype', 0, Int32()),
        _sequence_component('checksum', 1, univ.OctetString())
    )
```

**Fields**:

* `cksumtype`: Checksum algorithm
* `checksum`: Checksum value

**Checksum Types**:

* `12`: HMAC-SHA1-DES3
* `15`: HMAC-SHA1-96-AES128
* `16`: HMAC-SHA1-96-AES256
* `-138`: HMAC-MD5 (0xffffff76)

## Ticket Structures

### Ticket

Kerberos ticket for service access.

```python
class Ticket(univ.Sequence):
    tagSet = _application_tag(constants.ApplicationTagNumbers.Ticket.value)
    componentType = namedtype.NamedTypes(
        _vno_component(name="tkt-vno", tag_value=0),
        _sequence_component("realm", 1, Realm()),
        _sequence_component("sname", 2, PrincipalName()),
        _sequence_component("enc-part", 3, EncryptedData())
    )
```

**Fields**:

* `tkt-vno`: Ticket version (always 5)
* `realm`: Service realm
* `sname`: Service principal name
* `enc-part`: Encrypted ticket contents

**Example**:

```python
from pyasn1.codec.der import decoder, encoder

# Parse ticket
ticket = decoder.decode(ticket_bytes, asn1Spec=Ticket())[0]

print(f"Realm: {ticket['realm']}")
print(f"Service: {ticket['sname']}")
print(f"Encryption: {ticket['enc-part']['etype']}")

# Encode ticket
ticket_bytes = encoder.encode(ticket)
```

### EncTicketPart

Decrypted ticket contents (encrypted in ticket).

```python
class EncTicketPart(univ.Sequence):
    tagSet = _application_tag(constants.ApplicationTagNumbers.EncTicketPart.value)
    componentType = namedtype.NamedTypes(
        _sequence_component("flags", 0, TicketFlags()),
        _sequence_component("key", 1, EncryptionKey()),
        _sequence_component("crealm", 2, Realm()),
        _sequence_component("cname", 3, PrincipalName()),
        _sequence_component("transited", 4, TransitedEncoding()),
        _sequence_component("authtime", 5, KerberosTime()),
        _sequence_optional_component("starttime", 6, KerberosTime()),
        _sequence_component("endtime", 7, KerberosTime()),
        _sequence_optional_component("renew-till", 8, KerberosTime()),
        _sequence_optional_component("caddr", 9, HostAddresses()),
        _sequence_optional_component("authorization-data", 10, AuthorizationData())
    )
```

**Key Fields**:

* `flags`: Ticket flags (forwardable, renewable, etc.)
* `key`: Session key for client-service communication
* `crealm`: Client realm
* `cname`: Client principal name
* `authtime`: Initial authentication time
* `starttime`: Ticket valid start time
* `endtime`: Ticket expiration time
* `renew-till`: Renewable until time
* `authorization-data`: MS-PAC and other authz data

### TicketFlags

Bit flags controlling ticket behavior.

```python
class TicketFlags(KerberosFlags):
    pass
```

**Common Flags**:

* Bit 1: `forwardable` - Can be forwarded to another service
* Bit 2: `forwarded` - Ticket was forwarded
* Bit 3: `proxiable` - Can be used to obtain proxy
* Bit 8: `renewable` - Can be renewed
* Bit 9: `initial` - Initial authentication
* Bit 10: `pre-authent` - Pre-authentication used

## Request Structures

### AS-REQ (Authentication Service Request)

Initial authentication request for TGT.

```python
class AS_REQ(KDC_REQ):
    tagSet = _application_tag(constants.ApplicationTagNumbers.AS_REQ.value)
```

**Inherits from KDC\_REQ**:

```python
class KDC_REQ(univ.Sequence):
    componentType = namedtype.NamedTypes(
        _vno_component(1),
        _msg_type_component(2, (AS_REQ_TAG, TGS_REQ_TAG)),
        _sequence_optional_component('padata', 3,
                                    univ.SequenceOf(componentType=PA_DATA())),
        _sequence_component('req-body', 4, KDC_REQ_BODY())
    )
```

**Fields**:

* `pvno`: Protocol version (5)
* `msg-type`: Message type (10 for AS-REQ)
* `padata`: Pre-authentication data
* `req-body`: Request body

**Example**:

```python
from impacket.krb5.asn1 import AS_REQ, seq_set
from pyasn1.type.univ import noValue

asReq = AS_REQ()
asReq['pvno'] = 5
asReq['msg-type'] = 10

# Add pre-auth data
asReq['padata'] = noValue
asReq['padata'][0] = noValue
asReq['padata'][0]['padata-type'] = 2  # PA-ENC-TIMESTAMP
asReq['padata'][0]['padata-value'] = enc_timestamp

# Set request body
reqBody = seq_set(asReq, 'req-body')
reqBody['realm'] = 'DOMAIN.LOCAL'
reqBody['nonce'] = 123456
```

### KDC\_REQ\_BODY

Request body for AS-REQ and TGS-REQ.

```python
class KDC_REQ_BODY(univ.Sequence):
    componentType = namedtype.NamedTypes(
        _sequence_component('kdc-options', 0, KDCOptions()),
        _sequence_optional_component('cname', 1, PrincipalName()),
        _sequence_component('realm', 2, Realm()),
        _sequence_optional_component('sname', 3, PrincipalName()),
        _sequence_optional_component('from', 4, KerberosTime()),
        _sequence_component('till', 5, KerberosTime()),
        _sequence_optional_component('rtime', 6, KerberosTime()),
        _sequence_component('nonce', 7, UInt32()),
        _sequence_component('etype', 8, univ.SequenceOf(componentType=Int32())),
        _sequence_optional_component('addresses', 9, HostAddresses()),
        _sequence_optional_component('enc-authorization-data', 10, EncryptedData()),
        _sequence_optional_component('additional-tickets', 11,
                                    univ.SequenceOf(componentType=Ticket()))
    )
```

**Key Fields**:

* `kdc-options`: Request options (forwardable, renewable, etc.)
* `cname`: Client name (AS-REQ only)
* `realm`: Target realm
* `sname`: Service name
* `till`: Requested expiration time
* `nonce`: Random nonce for replay protection
* `etype`: Acceptable encryption types

### TGS-REQ (Ticket Granting Service Request)

Request for service ticket.

```python
class TGS_REQ(KDC_REQ):
    tagSet = _application_tag(constants.ApplicationTagNumbers.TGS_REQ.value)
```

**TGS-REQ Pre-auth Data**:

```python
# Requires AP-REQ in padata
tgsReq['padata'][0]['padata-type'] = 1  # PA-TGS-REQ
tgsReq['padata'][0]['padata-value'] = encoder.encode(apReq)
```

### PA\_DATA

Pre-authentication data.

```python
class PA_DATA(univ.Sequence):
    componentType = namedtype.NamedTypes(
        _sequence_component('padata-type', 1, Int32()),
        _sequence_component('padata-value', 2, univ.OctetString())
    )
```

**Common PA Types**:

* `1`: PA-TGS-REQ (AP-REQ for TGS)
* `2`: PA-ENC-TIMESTAMP (encrypted timestamp)
* `11`: PA-ETYPE-INFO (salt information)
* `19`: PA-ETYPE-INFO2 (extended salt info)
* `128`: PA-PAC-REQUEST (request PAC)
* `129`: PA-FOR-USER (S4U2Self)

**Example**:

```python
from impacket.krb5.asn1 import PA_DATA, PA_ENC_TIMESTAMP
from pyasn1.codec.der import encoder

# Create encrypted timestamp
pa_enc_ts = PA_ENC_TS_ENC()
pa_enc_ts['patimestamp'] = KerberosTime.to_asn1(now)
pa_enc_ts['pausec'] = now.microsecond

# Encrypt it
enc_ts = cipher.encrypt(key, 1, encoder.encode(pa_enc_ts), None)

# Wrap in PA_DATA
padata = PA_DATA()
padata['padata-type'] = 2
padata['padata-value'] = enc_ts
```

## Response Structures

### AS-REP (Authentication Service Reply)

TGT response from KDC.

```python
class AS_REP(KDC_REP):
    tagSet = _application_tag(constants.ApplicationTagNumbers.AS_REP.value)
```

**Inherits from KDC\_REP**:

```python
class KDC_REP(univ.Sequence):
    componentType = namedtype.NamedTypes(
        _vno_component(0),
        _msg_type_component(1, (AS_REP_TAG, TGS_REP_TAG)),
        _sequence_optional_component('padata', 2,
                                    univ.SequenceOf(componentType=PA_DATA())),
        _sequence_component('crealm', 3, Realm()),
        _sequence_component('cname', 4, PrincipalName()),
        _sequence_component('ticket', 5, Ticket()),
        _sequence_component('enc-part', 6, EncryptedData())
    )
```

**Fields**:

* `pvno`: Protocol version (5)
* `msg-type`: Message type (11 for AS-REP)
* `crealm`: Client realm
* `cname`: Client name
* `ticket`: The TGT
* `enc-part`: Encrypted part (session key, times, etc.)

**Example**:

```python
from pyasn1.codec.der import decoder

# Decode AS-REP
asRep = decoder.decode(response_bytes, asn1Spec=AS_REP())[0]

# Extract ticket
tgt = asRep['ticket']

# Decrypt enc-part
cipherText = asRep['enc-part']['cipher']
plainText = cipher.decrypt(key, 3, cipherText)  # Key usage 3

encASRepPart = decoder.decode(plainText, asn1Spec=EncASRepPart())[0]
sessionKey = encASRepPart['key']
```

### EncASRepPart

Decrypted AS-REP encrypted part.

```python
class EncASRepPart(EncKDCRepPart):
    tagSet = _application_tag(constants.ApplicationTagNumbers.EncASRepPart.value)
```

**Inherits from EncKDCRepPart**:

```python
class EncKDCRepPart(univ.Sequence):
    componentType = namedtype.NamedTypes(
        _sequence_component('key', 0, EncryptionKey()),
        _sequence_component('last-req', 1, LastReq()),
        _sequence_component('nonce', 2, UInt32()),
        _sequence_optional_component('key-expiration', 3, KerberosTime()),
        _sequence_component('flags', 4, TicketFlags()),
        _sequence_component('authtime', 5, KerberosTime()),
        _sequence_optional_component('starttime', 6, KerberosTime()),
        _sequence_component('endtime', 7, KerberosTime()),
        _sequence_optional_component('renew-till', 8, KerberosTime()),
        _sequence_component('srealm', 9, Realm()),
        _sequence_component('sname', 10, PrincipalName()),
        _sequence_optional_component('caddr', 11, HostAddresses())
    )
```

**Critical Fields**:

* `key`: Session key for TGS-REQ
* `nonce`: Must match request nonce
* `flags`: Ticket flags granted
* `authtime`: Authentication time
* `endtime`: TGT expiration
* `srealm`: Server realm
* `sname`: Server name (krbtgt/REALM)

### TGS-REP (Ticket Granting Service Reply)

Service ticket response.

```python
class TGS_REP(KDC_REP):
    tagSet = _application_tag(constants.ApplicationTagNumbers.TGS_REP.value)
```

**Similar to AS-REP but**:

* `msg-type`: 13
* `ticket`: Service ticket (not TGT)
* Encrypted with TGS session key

### EncTGSRepPart

Decrypted TGS-REP encrypted part.

```python
class EncTGSRepPart(EncKDCRepPart):
    tagSet = _application_tag(constants.ApplicationTagNumbers.EncTGSRepPart.value)
```

**Key usage**: 8 (TGS session key)

## Application Protocol

### AP-REQ (Application Request)

Client authentication to service.

```python
class AP_REQ(univ.Sequence):
    tagSet = _application_tag(constants.ApplicationTagNumbers.AP_REQ.value)
    componentType = namedtype.NamedTypes(
        _vno_component(0),
        _msg_type_component(1, (AP_REQ_TAG,)),
        _sequence_component('ap-options', 2, APOptions()),
        _sequence_component('ticket', 3, Ticket()),
        _sequence_component('authenticator', 4, EncryptedData())
    )
```

**Fields**:

* `pvno`: 5
* `msg-type`: 14
* `ap-options`: Request options
* `ticket`: Service ticket from TGS-REP
* `authenticator`: Encrypted authenticator

**AP Options**:

* Bit 2: `mutual-required` - Request AP-REP

**Example**:

```python
apReq = AP_REQ()
apReq['pvno'] = 5
apReq['msg-type'] = 14

# Set mutual authentication
opts = []
opts.append(2)  # mutual-required
apReq['ap-options'] = constants.encodeFlags(opts)

# Set ticket
seq_set(apReq, 'ticket', ticket.to_asn1)

# Create and encrypt authenticator
authenticator = Authenticator()
authenticator['authenticator-vno'] = 5
authenticator['crealm'] = domain
authenticator['cusec'] = now.microsecond
authenticator['ctime'] = KerberosTime.to_asn1(now)

enc_auth = cipher.encrypt(sessionKey, 11, encoder.encode(authenticator), None)
apReq['authenticator']['etype'] = cipher.enctype
apReq['authenticator']['cipher'] = enc_auth
```

### Authenticator

Proof of session key possession.

```python
class Authenticator(univ.Sequence):
    tagSet = _application_tag(constants.ApplicationTagNumbers.Authenticator.value)
    componentType = namedtype.NamedTypes(
        _vno_component(name='authenticator-vno', tag_value=0),
        _sequence_component('crealm', 1, Realm()),
        _sequence_component('cname', 2, PrincipalName()),
        _sequence_optional_component('cksum', 3, Checksum()),
        _sequence_component('cusec', 4, Microseconds()),
        _sequence_component('ctime', 5, KerberosTime()),
        _sequence_optional_component('subkey', 6, EncryptionKey()),
        _sequence_optional_component('seq-number', 7, UInt32()),
        _sequence_optional_component('authorization-data', 8, AuthorizationData())
    )
```

**Fields**:

* `crealm`: Client realm
* `cname`: Client name
* `cksum`: Checksum of application data (optional)
* `cusec`: Microseconds of ctime
* `ctime`: Current time
* `subkey`: Optional session subkey
* `seq-number`: Sequence number

**Key Usage**: 11 (for encryption)

### AP-REP (Application Reply)

Mutual authentication response.

```python
class AP_REP(univ.Sequence):
    tagSet = _application_tag(constants.ApplicationTagNumbers.AP_REP.value)
    componentType = namedtype.NamedTypes(
        _vno_component(0),
        _msg_type_component(1, (AP_REP_TAG,)),
        _sequence_component('enc-part', 2, EncryptedData())
    )
```

**Fields**:

* `pvno`: 5
* `msg-type`: 15
* `enc-part`: Encrypted EncAPRepPart

### EncAPRepPart

Decrypted AP-REP contents.

```python
class EncAPRepPart(univ.Sequence):
    tagSet = _application_tag(constants.ApplicationTagNumbers.EncApRepPart.value)
    componentType = namedtype.NamedTypes(
        _sequence_component('ctime', 0, KerberosTime()),
        _sequence_component('cusec', 1, Microseconds()),
        _sequence_optional_component('subkey', 2, EncryptionKey()),
        _sequence_optional_component('seq-number', 3, UInt32())
    )
```

**Key Usage**: 12

## Error Messages

### KRB\_ERROR

Error response from KDC or service.

```python
class KRB_ERROR(univ.Sequence):
    tagSet = _application_tag(constants.ApplicationTagNumbers.KRB_ERROR.value)
    componentType = namedtype.NamedTypes(
        _vno_component(0),
        _msg_type_component(1, (KRB_ERROR_TAG,)),
        _sequence_optional_component('ctime', 2, KerberosTime()),
        _sequence_optional_component('cusec', 3, Microseconds()),
        _sequence_component('stime', 4, KerberosTime()),
        _sequence_component('susec', 5, Microseconds()),
        _sequence_component('error-code', 6, Int32()),
        _sequence_optional_component('crealm', 7, Realm()),
        _sequence_optional_component('cname', 8, PrincipalName()),
        _sequence_component('realm', 9, Realm()),
        _sequence_component('sname', 10, PrincipalName()),
        _sequence_optional_component('e-text', 11, KerberosString()),
        _sequence_optional_component('e-data', 12, univ.OctetString())
    )
```

**Critical Fields**:

* `stime`: Server time
* `error-code`: Kerberos error code
* `e-text`: Human-readable error
* `e-data`: Additional error data

**Example**:

```python
try:
    asRep = decoder.decode(response, asn1Spec=AS_REP())[0]
except:
    krbError = decoder.decode(response, asn1Spec=KRB_ERROR())[0]
    error_code = krbError['error-code']

    if error_code == 25:  # KDC_ERR_PREAUTH_REQUIRED
        # Extract salt from e-data
        methods = decoder.decode(krbError['e-data'], asn1Spec=METHOD_DATA())[0]
        # Process pre-auth requirements
```

## Microsoft Extensions

### KERB\_PA\_PAC\_REQUEST

Request PAC in ticket.

```python
class KERB_PA_PAC_REQUEST(univ.Sequence):
    componentType = namedtype.NamedTypes(
        namedtype.NamedType('include-pac', univ.Boolean().subtype(
            explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0)))
    )
```

**Usage**:

```python
pacRequest = KERB_PA_PAC_REQUEST()
pacRequest['include-pac'] = True
encodedPacRequest = encoder.encode(pacRequest)

asReq['padata'][0]['padata-type'] = 128  # PA-PAC-REQUEST
asReq['padata'][0]['padata-value'] = encodedPacRequest
```

### PA\_FOR\_USER\_ENC

S4U2Self protocol data.

```python
class PA_FOR_USER_ENC(univ.Sequence):
    componentType = namedtype.NamedTypes(
        _sequence_component('userName', 0, PrincipalName()),
        _sequence_optional_component('userRealm', 1, Realm()),
        _sequence_optional_component('cksum', 2, Checksum()),
        _sequence_optional_component('auth-package', 3, KerberosString())
    )
```

**Purpose**: Request ticket on behalf of user

### PA\_S4U\_X509\_USER

S4U with certificate.

```python
class PA_S4U_X509_USER(univ.Sequence):
    componentType = namedtype.NamedTypes(
        namedtype.NamedType('user-id', S4UUserID().subtype(
            explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 0))),
        namedtype.NamedType('checksum', Checksum().subtype(
            explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 1)))
    )
```

### ETYPE\_INFO2

Extended encryption type info.

```python
class ETYPE_INFO2_ENTRY(univ.Sequence):
    componentType = namedtype.NamedTypes(
        _sequence_component('etype', 0, Int32()),
        _sequence_optional_component('salt', 1, KerberosString()),
        _sequence_optional_component('s2kparams', 2, univ.OctetString())
    )

class ETYPE_INFO2(univ.SequenceOf):
    componentType = ETYPE_INFO2_ENTRY()
```

**Usage**: Provides salt for string-to-key conversion

## Helper Functions

### seq\_set

Set component and return it for chaining.

```python
def seq_set(seq, name, builder=None, *args, **kwargs):
    component = seq.setComponentByName(name).getComponentByName(name)
    if builder is not None:
        seq.setComponentByName(name, builder(component, *args, **kwargs))
    else:
        seq.setComponentByName(name)
    return seq.getComponentByName(name)

# Usage
reqBody = seq_set(asReq, 'req-body')
seq_set(reqBody, 'sname', serverName.components_to_asn1)
```

### seq\_set\_iter

Set sequence from iterable.

```python
def seq_set_iter(seq, name, iterable):
    component = seq.setComponentByName(name).getComponentByName(name)
    for pos, v in enumerate(iterable):
        component.setComponentByPosition(pos, v)

# Usage
seq_set_iter(reqBody, 'etype', (17, 18, 23))  # AES128, AES256, RC4
```

### seq\_append

Append to sequence component.

```python
def seq_append(seq, name, pairs):
    component = seq.getComponentByName(name)
    if component is None:
        component = seq.setComponentByName(name).getComponentByName(name)
    index = len(component)
    element = component.setComponentByPosition(index).getComponentByPosition(index)
    for k, v in pairs.items():
        element.setComponentByName(k, v)

# Usage
seq_append(asReq, 'padata', {'padata-type': 2, 'padata-value': data})
```

## Encoding/Decoding

### Encoding to DER

```python
from pyasn1.codec.der import encoder

# Encode AS-REQ to bytes
asReqBytes = encoder.encode(asReq)

# Send to KDC
messageLen = struct.pack('!i', len(asReqBytes))
socket.sendall(messageLen + asReqBytes)
```

### Decoding from DER

```python
from pyasn1.codec.der import decoder

# Try to decode as AS-REP
try:
    asRep = decoder.decode(responseBytes, asn1Spec=AS_REP())[0]
except:
    # Maybe it's an error
    krbError = decoder.decode(responseBytes, asn1Spec=KRB_ERROR())[0]
```

## Complete Example

### Building AS-REQ

```python
from impacket.krb5.asn1 import (
    AS_REQ, PA_DATA, KERB_PA_PAC_REQUEST,
    PA_ENC_TS_ENC, EncryptedData, seq_set, seq_set_iter
)
from impacket.krb5.types import Principal, KerberosTime
from impacket.krb5 import constants, crypto
from pyasn1.codec.der import encoder
from pyasn1.type.univ import noValue
import datetime

def build_as_req(username, password, domain, salt):
    # Create AS-REQ
    asReq = AS_REQ()
    asReq['pvno'] = 5
    asReq['msg-type'] = int(constants.ApplicationTagNumbers.AS_REQ.value)

    # Add PAC request
    pacRequest = KERB_PA_PAC_REQUEST()
    pacRequest['include-pac'] = True
    encodedPacRequest = encoder.encode(pacRequest)

    asReq['padata'] = noValue
    asReq['padata'][0] = noValue
    asReq['padata'][0]['padata-type'] = 128
    asReq['padata'][0]['padata-value'] = encodedPacRequest

    # Add encrypted timestamp
    cipher = crypto._enctype_table[18]  # AES256
    key = cipher.string_to_key(password, salt, None)

    timeStamp = PA_ENC_TS_ENC()
    now = datetime.datetime.now(datetime.timezone.utc)
    timeStamp['patimestamp'] = KerberosTime.to_asn1(now)
    timeStamp['pausec'] = now.microsecond

    encTS = cipher.encrypt(key, 1, encoder.encode(timeStamp), None)

    encryptedData = EncryptedData()
    encryptedData['etype'] = cipher.enctype
    encryptedData['cipher'] = encTS

    asReq['padata'][1] = noValue
    asReq['padata'][1]['padata-type'] = 2
    asReq['padata'][1]['padata-value'] = encoder.encode(encryptedData)

    # Build request body
    clientName = Principal(username, type=constants.PrincipalNameType.NT_PRINCIPAL.value)
    serverName = Principal(f'krbtgt/{domain}', type=constants.PrincipalNameType.NT_SRV_INST.value)

    reqBody = seq_set(asReq, 'req-body')
    opts = [1, 8, 3]  # forwardable, renewable, proxiable
    reqBody['kdc-options'] = constants.encodeFlags(opts)
    seq_set(reqBody, 'cname', clientName.components_to_asn1)
    seq_set(reqBody, 'sname', serverName.components_to_asn1)
    reqBody['realm'] = domain
    reqBody['till'] = KerberosTime.to_asn1(now + datetime.timedelta(days=1))
    reqBody['nonce'] = 12345
    seq_set_iter(reqBody, 'etype', (18,))  # AES256 only

    return encoder.encode(asReq)
```

## See Also

* [Kerberos Overview](/reference/library-api/kerberos/overview.md)
* [Crypto Reference](/reference/library-api/kerberos/crypto.md)
* [CCache Reference](/reference/library-api/kerberos/ccache.md)
* [RFC 4120 - Kerberos V5](https://www.rfc-editor.org/rfc/rfc4120.html)
* [MS-KILE](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-kile/)


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://www.impacket.wiki/reference/library-api/kerberos/asn1.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
