REGENERATE epan/dissectors/packet-kerberos.c => pushd epan/dissectors/asn1/kerberos...
authorStefan Metzmacher <metze@samba.org>
Wed, 22 Aug 2018 15:10:37 +0000 (17:10 +0200)
committerStefan Metzmacher <metze@samba.org>
Sun, 20 Jan 2019 22:14:58 +0000 (23:14 +0100)
Change-Id: If72c040f3ffd2322b76f73003cf2a2a38353d4e6

epan/dissectors/packet-kerberos.c

index 2798948..7d75285 100644 (file)
 
 #include <config.h>
 
+//TODO
+#define HAVE_KRB5_CRYPTO_FX_CF2 1
+#define HAVE_KRB5_C_FX_CF2_SIMPLE 1
+
 #include <stdio.h>
 
 #include <epan/packet.h>
 #include <epan/asn1.h>
 #include <epan/expert.h>
 #include <epan/prefs.h>
+#include <epan/proto_data.h>
 #include <wsutil/wsgcrypt.h>
 #include <wsutil/file_util.h>
 #include <wsutil/str_util.h>
+#include <wsutil/pint.h>
 #include "packet-kerberos.h"
 #include "packet-netbios.h"
 #include "packet-tcp.h"
 #include "packet-smb-common.h"
 #include "packet-x509af.h"
 
+#define KEY_USAGE_FAST_REQ_CHKSUM       50
+#define KEY_USAGE_FAST_ENC              51
+#define KEY_USAGE_FAST_REP              52
+#define KEY_USAGE_FAST_FINISHED         53
+#define KEY_USAGE_ENC_CHALLENGE_CLIENT  54
+#define KEY_USAGE_ENC_CHALLENGE_KDC     55
+
 void proto_register_kerberos(void);
 void proto_reg_handoff_kerberos(void);
 
@@ -95,6 +108,8 @@ typedef struct kerberos_key {
 
 typedef struct {
        guint32 msg_type;
+       guint32 errorcode;
+       gboolean try_nt_status;
        guint32 etype;
        guint32 padata_type;
        guint32 is_enc_padata;
@@ -103,23 +118,45 @@ typedef struct {
        guint32 ad_type;
        guint32 addr_type;
        guint32 checksum_type;
+       const enc_key_t *last_decryption_key;
+       gboolean is_win2k_pkinit;
+       guint32 fast_type;
+       gboolean fast_armor_request;
+       gboolean fast_armor_within_enc_ticket_part;
+       const enc_key_t *fast_armor_ticket_sessionkey;
+       gboolean fast_armor_within_authenticator;
+       const enc_key_t *fast_armor_remote_subkey;
+       const enc_key_t *fast_armor_key;
+       gboolean fast_strengthen_key_needed;
+       const enc_key_t *fast_strengthen_key;
 } kerberos_private_data_t;
 
 static dissector_handle_t kerberos_handle_udp;
 
 /* Forward declarations */
 static int dissect_kerberos_Applications(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
+static int dissect_kerberos_AuthorizationData(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
 static int dissect_kerberos_PA_ENC_TIMESTAMP(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
-static int dissect_kerberos_KERB_PA_PAC_REQUEST(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
+static int dissect_kerberos_PA_ENC_TS_ENC(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
+static int dissect_kerberos_PA_PAC_REQUEST(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
 static int dissect_kerberos_PA_S4U2Self(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
 static int dissect_kerberos_PA_S4U_X509_USER(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
 static int dissect_kerberos_ETYPE_INFO(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
 static int dissect_kerberos_ETYPE_INFO2(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
 static int dissect_kerberos_AD_IF_RELEVANT(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
-static int dissect_kerberos_PA_AUTHENTICATION_SET(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
+static int dissect_kerberos_PA_AUTHENTICATION_SET_ELEM(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
 static int dissect_kerberos_PA_FX_FAST_REQUEST(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
-static int dissect_kerberos_EncryptedChallenge(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
 static int dissect_kerberos_PA_FX_FAST_REPLY(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
+static int dissect_kerberos_KrbFastReq(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
+static int dissect_kerberos_KrbFastResponse(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
+static int dissect_kerberos_EncryptedChallenge(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
+static int dissect_kerberos_PA_SUPPORTED_ENCTYPES(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
+static int dissect_kerberos_PA_PAC_OPTIONS(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
+static int dissect_kerberos_KERB_AD_RESTRICTION_ENTRY(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
+static int dissect_kerberos_SEQUENCE_OF_ENCTYPE(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
+static int dissect_kerberos_AD_AP_OPTIONS(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
+static int dissect_kerberos_AD_TARGET_PRINCIPAL(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
+static int dissect_kerberos_Checksum(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_);
 
 /* Desegment Kerberos over TCP messages */
 static gboolean krb_desegment = TRUE;
@@ -160,7 +197,10 @@ static gint hf_krb_pac_clientid = -1;
 static gint hf_krb_pac_namelen = -1;
 static gint hf_krb_pac_clientname = -1;
 static gint hf_krb_pac_logon_info = -1;
-static gint hf_krb_pac_credential_type = -1;
+static gint hf_krb_pac_credential_data = -1;
+static gint hf_krb_pac_credential_info = -1;
+static gint hf_krb_pac_credential_info_version = -1;
+static gint hf_krb_pac_credential_info_etype = -1;
 static gint hf_krb_pac_s4u_delegation_info = -1;
 static gint hf_krb_pac_upn_dns_info = -1;
 static gint hf_krb_pac_upn_flags = -1;
@@ -173,6 +213,22 @@ static gint hf_krb_pac_upn_dns_name = -1;
 static gint hf_krb_pac_server_checksum = -1;
 static gint hf_krb_pac_privsvr_checksum = -1;
 static gint hf_krb_pac_client_info_type = -1;
+static gint hf_krb_pac_client_claims_info = -1;
+static gint hf_krb_pac_device_info = -1;
+static gint hf_krb_pac_device_claims_info = -1;
+static gint hf_krb_pa_supported_enctypes = -1;
+static gint hf_krb_pa_supported_enctypes_des_cbc_crc = -1;
+static gint hf_krb_pa_supported_enctypes_des_cbc_md5 = -1;
+static gint hf_krb_pa_supported_enctypes_rc4_hmac = -1;
+static gint hf_krb_pa_supported_enctypes_aes128_cts_hmac_sha1_96 = -1;
+static gint hf_krb_pa_supported_enctypes_aes256_cts_hmac_sha1_96 = -1;
+static gint hf_krb_pa_supported_enctypes_fast_supported = -1;
+static gint hf_krb_pa_supported_enctypes_compound_identity_supported = -1;
+static gint hf_krb_pa_supported_enctypes_claims_supported = -1;
+static gint hf_krb_pa_supported_enctypes_resource_sid_compression_disabled = -1;
+static gint hf_krb_ad_ap_options = -1;
+static gint hf_krb_ad_ap_options_cbt = -1;
+static gint hf_krb_ad_target_principal = -1;
 
 /*--- Included file: packet-kerberos-hf.c ---*/
 #line 1 "./asn1/kerberos/packet-kerberos-hf.c"
@@ -205,19 +261,19 @@ static int hf_kerberos_addr_type = -1;            /* ADDR_TYPE */
 static int hf_kerberos_address = -1;              /* T_address */
 static int hf_kerberos_HostAddresses_item = -1;   /* HostAddress */
 static int hf_kerberos_AuthorizationData_item = -1;  /* AuthorizationData_item */
-static int hf_kerberos_ad_type = -1;              /* T_ad_type */
+static int hf_kerberos_ad_type = -1;              /* AUTHDATA_TYPE */
 static int hf_kerberos_ad_data = -1;              /* T_ad_data */
 static int hf_kerberos_padata_type = -1;          /* PADATA_TYPE */
 static int hf_kerberos_padata_value = -1;         /* T_padata_value */
-static int hf_kerberos_etype = -1;                /* ENCTYPE */
-static int hf_kerberos_kvno = -1;                 /* UInt32 */
-static int hf_kerberos_cipher = -1;               /* OCTET_STRING */
 static int hf_kerberos_keytype = -1;              /* T_keytype */
 static int hf_kerberos_keyvalue = -1;             /* T_keyvalue */
 static int hf_kerberos_cksumtype = -1;            /* CKSUMTYPE */
 static int hf_kerberos_checksum = -1;             /* T_checksum */
+static int hf_kerberos_etype = -1;                /* ENCTYPE */
+static int hf_kerberos_kvno = -1;                 /* UInt32 */
 static int hf_kerberos_encryptedTicketData_cipher = -1;  /* T_encryptedTicketData_cipher */
 static int hf_kerberos_encryptedAuthorizationData_cipher = -1;  /* T_encryptedAuthorizationData_cipher */
+static int hf_kerberos_encryptedAuthenticator_cipher = -1;  /* T_encryptedAuthenticator_cipher */
 static int hf_kerberos_encryptedKDCREPData_cipher = -1;  /* T_encryptedKDCREPData_cipher */
 static int hf_kerberos_encryptedAPREPData_cipher = -1;  /* T_encryptedAPREPData_cipher */
 static int hf_kerberos_encryptedKrbPrivData_cipher = -1;  /* T_encryptedKrbPrivData_cipher */
@@ -264,7 +320,7 @@ static int hf_kerberos_LastReq_item = -1;         /* LastReq_item */
 static int hf_kerberos_lr_type = -1;              /* LR_TYPE */
 static int hf_kerberos_lr_value = -1;             /* KerberosTime */
 static int hf_kerberos_ap_options = -1;           /* APOptions */
-static int hf_kerberos_authenticator_01 = -1;     /* EncryptedAuthorizationData */
+static int hf_kerberos_authenticator_enc_part = -1;  /* EncryptedAuthenticator */
 static int hf_kerberos_authenticator_vno = -1;    /* INTEGER_5 */
 static int hf_kerberos_cksum = -1;                /* Checksum */
 static int hf_kerberos_cusec = -1;                /* Microseconds */
@@ -295,11 +351,14 @@ static int hf_kerberos_e_data = -1;               /* T_e_data */
 static int hf_kerberos_e_checksum = -1;           /* Checksum */
 static int hf_kerberos_METHOD_DATA_item = -1;     /* PA_DATA */
 static int hf_kerberos_pA_ENC_TIMESTAMP_cipher = -1;  /* T_pA_ENC_TIMESTAMP_cipher */
-static int hf_kerberos_salt = -1;                 /* OCTET_STRING */
+static int hf_kerberos_patimestamp = -1;          /* KerberosTime */
+static int hf_kerberos_pausec = -1;               /* Microseconds */
+static int hf_kerberos_info_salt = -1;            /* OCTET_STRING */
 static int hf_kerberos_ETYPE_INFO_item = -1;      /* ETYPE_INFO_ENTRY */
-static int hf_kerberos_salt_01 = -1;              /* KerberosString */
+static int hf_kerberos_info2_salt = -1;           /* KerberosString */
 static int hf_kerberos_s2kparams = -1;            /* OCTET_STRING */
 static int hf_kerberos_ETYPE_INFO2_item = -1;     /* ETYPE_INFO2_ENTRY */
+static int hf_kerberos_include_pac = -1;          /* BOOLEAN */
 static int hf_kerberos_name = -1;                 /* PrincipalName */
 static int hf_kerberos_auth = -1;                 /* GeneralString */
 static int hf_kerberos_user_id = -1;              /* S4UUserID */
@@ -307,22 +366,30 @@ static int hf_kerberos_checksum_01 = -1;          /* Checksum */
 static int hf_kerberos_cname_01 = -1;             /* PrincipalName */
 static int hf_kerberos_subject_certificate = -1;  /* T_subject_certificate */
 static int hf_kerberos_options = -1;              /* BIT_STRING */
-static int hf_kerberos_include_pac = -1;          /* BOOLEAN */
+static int hf_kerberos_option_flags = -1;         /* PAC_OptionFlags */
+static int hf_kerberos_restriction_type = -1;     /* Int32 */
+static int hf_kerberos_restriction = -1;          /* OCTET_STRING */
 static int hf_kerberos_newpasswd = -1;            /* OCTET_STRING */
 static int hf_kerberos_targname = -1;             /* PrincipalName */
 static int hf_kerberos_targrealm = -1;            /* Realm */
-static int hf_kerberos_PA_AUTHENTICATION_SET_item = -1;  /* PA_AUTHENTICATION_SET_ELEM */
-static int hf_kerberos_pa_type = -1;              /* Int32 */
+static int hf_kerberos_pa_type = -1;              /* PADATA_TYPE */
 static int hf_kerberos_pa_hint = -1;              /* OCTET_STRING */
 static int hf_kerberos_pa_value = -1;             /* OCTET_STRING */
-static int hf_kerberos_armor_type = -1;           /* Int32 */
-static int hf_kerberos_armor_value = -1;          /* OCTET_STRING */
-static int hf_kerberos_armored_data = -1;         /* KrbFastArmoredReq */
+static int hf_kerberos_armor_type = -1;           /* KrbFastArmorTypes */
+static int hf_kerberos_armor_value = -1;          /* T_armor_value */
+static int hf_kerberos_armored_data_request = -1;  /* KrbFastArmoredReq */
+static int hf_kerberos_encryptedKrbFastReq_cipher = -1;  /* T_encryptedKrbFastReq_cipher */
 static int hf_kerberos_armor = -1;                /* KrbFastArmor */
 static int hf_kerberos_req_checksum = -1;         /* Checksum */
-static int hf_kerberos_enc_fast_req = -1;         /* EncryptedData */
-static int hf_kerberos_armored_data_01 = -1;      /* KrbFastArmoredRep */
-static int hf_kerberos_enc_fast_rep = -1;         /* EncryptedData */
+static int hf_kerberos_enc_fast_req = -1;         /* EncryptedKrbFastReq */
+static int hf_kerberos_fast_options = -1;         /* FastOptions */
+static int hf_kerberos_armored_data_reply = -1;   /* KrbFastArmoredRep */
+static int hf_kerberos_encryptedKrbFastResponse_cipher = -1;  /* T_encryptedKrbFastResponse_cipher */
+static int hf_kerberos_enc_fast_rep = -1;         /* EncryptedKrbFastResponse */
+static int hf_kerberos_strengthen_key = -1;       /* T_strengthen_key */
+static int hf_kerberos_finished = -1;             /* KrbFastFinished */
+static int hf_kerberos_ticket_checksum = -1;      /* Checksum */
+static int hf_kerberos_encryptedChallenge_cipher = -1;  /* T_encryptedChallenge_cipher */
 /* named bits */
 static int hf_kerberos_APOptions_reserved = -1;
 static int hf_kerberos_APOptions_use_session_key = -1;
@@ -376,9 +443,16 @@ static int hf_kerberos_KDCOptions_enc_tkt_in_skey = -1;
 static int hf_kerberos_KDCOptions_unused29 = -1;
 static int hf_kerberos_KDCOptions_renew = -1;
 static int hf_kerberos_KDCOptions_validate = -1;
+static int hf_kerberos_PAC_OptionFlags_claims = -1;
+static int hf_kerberos_PAC_OptionFlags_branch_aware = -1;
+static int hf_kerberos_PAC_OptionFlags_forward_to_full_dc = -1;
+static int hf_kerberos_PAC_OptionFlags_resource_based_constrained_delegation = -1;
+static int hf_kerberos_FastOptions_reserved = -1;
+static int hf_kerberos_FastOptions_hide_client_names = -1;
+static int hf_kerberos_FastOptions_kdc_follow_referrals = -1;
 
 /*--- End of included file: packet-kerberos-hf.c ---*/
-#line 169 "./asn1/kerberos/packet-kerberos-template.c"
+#line 225 "./asn1/kerberos/packet-kerberos-template.c"
 
 /* Initialize the subtree pointers */
 static gint ett_kerberos = -1;
@@ -387,11 +461,14 @@ static gint ett_krb_pac = -1;
 static gint ett_krb_pac_drep = -1;
 static gint ett_krb_pac_midl_blob = -1;
 static gint ett_krb_pac_logon_info = -1;
+static gint ett_krb_pac_credential_info = -1;
 static gint ett_krb_pac_s4u_delegation_info = -1;
 static gint ett_krb_pac_upn_dns_info = -1;
 static gint ett_krb_pac_server_checksum = -1;
 static gint ett_krb_pac_privsvr_checksum = -1;
 static gint ett_krb_pac_client_info_type = -1;
+static gint ett_krb_pa_supported_enctypes = -1;
+static gint ett_krb_ad_ap_options = -1;
 
 /*--- Included file: packet-kerberos-ett.c ---*/
 #line 1 "./asn1/kerberos/packet-kerberos-ett.c"
@@ -407,11 +484,11 @@ static gint ett_kerberos_HostAddresses = -1;
 static gint ett_kerberos_AuthorizationData = -1;
 static gint ett_kerberos_AuthorizationData_item = -1;
 static gint ett_kerberos_PA_DATA = -1;
-static gint ett_kerberos_EncryptedData = -1;
 static gint ett_kerberos_EncryptionKey = -1;
 static gint ett_kerberos_Checksum = -1;
 static gint ett_kerberos_EncryptedTicketData = -1;
 static gint ett_kerberos_EncryptedAuthorizationData = -1;
+static gint ett_kerberos_EncryptedAuthenticator = -1;
 static gint ett_kerberos_EncryptedKDCREPData = -1;
 static gint ett_kerberos_EncryptedAPREPData = -1;
 static gint ett_kerberos_EncryptedKrbPrivData = -1;
@@ -443,6 +520,7 @@ static gint ett_kerberos_KrbCredInfo = -1;
 static gint ett_kerberos_KRB_ERROR_U = -1;
 static gint ett_kerberos_METHOD_DATA = -1;
 static gint ett_kerberos_PA_ENC_TIMESTAMP = -1;
+static gint ett_kerberos_PA_ENC_TS_ENC = -1;
 static gint ett_kerberos_ETYPE_INFO_ENTRY = -1;
 static gint ett_kerberos_ETYPE_INFO = -1;
 static gint ett_kerberos_ETYPE_INFO2_ENTRY = -1;
@@ -450,21 +528,30 @@ static gint ett_kerberos_ETYPE_INFO2 = -1;
 static gint ett_kerberos_APOptions = -1;
 static gint ett_kerberos_TicketFlags = -1;
 static gint ett_kerberos_KDCOptions = -1;
+static gint ett_kerberos_PA_PAC_REQUEST = -1;
 static gint ett_kerberos_PA_S4U2Self = -1;
 static gint ett_kerberos_PA_S4U_X509_USER = -1;
 static gint ett_kerberos_S4UUserID = -1;
-static gint ett_kerberos_KERB_PA_PAC_REQUEST = -1;
+static gint ett_kerberos_PAC_OptionFlags = -1;
+static gint ett_kerberos_PA_PAC_OPTIONS = -1;
+static gint ett_kerberos_KERB_AD_RESTRICTION_ENTRY_U = -1;
 static gint ett_kerberos_ChangePasswdData = -1;
-static gint ett_kerberos_PA_AUTHENTICATION_SET = -1;
 static gint ett_kerberos_PA_AUTHENTICATION_SET_ELEM = -1;
 static gint ett_kerberos_KrbFastArmor = -1;
 static gint ett_kerberos_PA_FX_FAST_REQUEST = -1;
+static gint ett_kerberos_EncryptedKrbFastReq = -1;
 static gint ett_kerberos_KrbFastArmoredReq = -1;
+static gint ett_kerberos_KrbFastReq = -1;
+static gint ett_kerberos_FastOptions = -1;
 static gint ett_kerberos_PA_FX_FAST_REPLY = -1;
+static gint ett_kerberos_EncryptedKrbFastResponse = -1;
 static gint ett_kerberos_KrbFastArmoredRep = -1;
+static gint ett_kerberos_KrbFastResponse = -1;
+static gint ett_kerberos_KrbFastFinished = -1;
+static gint ett_kerberos_EncryptedChallenge = -1;
 
 /*--- End of included file: packet-kerberos-ett.c ---*/
-#line 183 "./asn1/kerberos/packet-kerberos-template.c"
+#line 242 "./asn1/kerberos/packet-kerberos-template.c"
 
 static expert_field ei_kerberos_decrypted_keytype = EI_INIT;
 static expert_field ei_kerberos_address = EI_INIT;
@@ -473,7 +560,6 @@ static expert_field ei_krb_gssapi_dlglen = EI_INIT;
 static dissector_handle_t krb4_handle=NULL;
 
 /* Global variables */
-static guint32 krb5_errorcode;
 static guint32 gbl_keytype;
 static gboolean gbl_do_col_info;
 
@@ -482,6 +568,32 @@ static gboolean gbl_do_col_info;
 #line 1 "./asn1/kerberos/packet-kerberos-val.h"
 #define id_krb5                        "1.3.6.1.5.2"
 
+typedef enum _KERBEROS_AUTHDATA_TYPE_enum {
+  KERBEROS_AD_IF_RELEVANT =   1,
+  KERBEROS_AD_INTENDED_FOR_SERVER =   2,
+  KERBEROS_AD_INTENDED_FOR_APPLICATION_CLASS =   3,
+  KERBEROS_AD_KDC_ISSUED =   4,
+  KERBEROS_AD_AND_OR =   5,
+  KERBEROS_AD_MANDATORY_TICKET_EXTENSIONS =   6,
+  KERBEROS_AD_IN_TICKET_EXTENSIONS =   7,
+  KERBEROS_AD_MANDATORY_FOR_KDC =   8,
+  KERBEROS_AD_INITIAL_VERIFIED_CAS =   9,
+  KERBEROS_AD_OSF_DCE =  64,
+  KERBEROS_AD_SESAME =  65,
+  KERBEROS_AD_OSF_DCE_PKI_CERTID =  66,
+  KERBEROS_AD_AUTHENTICATION_STRENGTH =  70,
+  KERBEROS_AD_FX_FAST_ARMOR =  71,
+  KERBEROS_AD_FX_FAST_USED =  72,
+  KERBEROS_AD_WIN2K_PAC = 128,
+  KERBEROS_AD_GSS_API_ETYPE_NEGOTIATION = 129,
+  KERBEROS_AD_TOKEN_RESTRICTIONS = 141,
+  KERBEROS_AD_LOCAL = 142,
+  KERBEROS_AD_AP_OPTIONS = 143,
+  KERBEROS_AD_TARGET_PRINCIPAL = 144,
+  KERBEROS_AD_SIGNTICKET_OLDER = -17,
+  KERBEROS_AD_SIGNTICKET = 512
+} KERBEROS_AUTHDATA_TYPE_enum;
+
 /* enumerated values for ADDR_TYPE */
 #define KERBEROS_ADDR_TYPE_IPV4   2
 #define KERBEROS_ADDR_TYPE_CHAOS   5
@@ -492,8 +604,81 @@ static gboolean gbl_do_col_info;
 #define KERBEROS_ADDR_TYPE_NETBIOS  20
 #define KERBEROS_ADDR_TYPE_IPV6  24
 
+typedef enum _KERBEROS_PADATA_TYPE_enum {
+  KERBEROS_PA_NONE =   0,
+  KERBEROS_PA_TGS_REQ =   1,
+  KERBEROS_PA_ENC_TIMESTAMP =   2,
+  KERBEROS_PA_PW_SALT =   3,
+  KERBEROS_PA_ENC_UNIX_TIME =   5,
+  KERBEROS_PA_SANDIA_SECUREID =   6,
+  KERBEROS_PA_SESAME =   7,
+  KERBEROS_PA_OSF_DCE =   8,
+  KERBEROS_PA_CYBERSAFE_SECUREID =   9,
+  KERBEROS_PA_AFS3_SALT =  10,
+  KERBEROS_PA_ETYPE_INFO =  11,
+  KERBEROS_PA_SAM_CHALLENGE =  12,
+  KERBEROS_PA_SAM_RESPONSE =  13,
+  KERBEROS_PA_PK_AS_REQ_OLD =  14,
+  KERBEROS_PA_PK_AS_REP_OLD =  15,
+  KERBEROS_PA_PK_AS_REQ =  16,
+  KERBEROS_PA_PK_AS_REP =  17,
+  KERBEROS_PA_PK_OCSP_RESPONSE =  18,
+  KERBEROS_PA_ETYPE_INFO2 =  19,
+  KERBEROS_PA_USE_SPECIFIED_KVNO =  20,
+  KERBEROS_PA_SVR_REFERRAL_INFO =  20,
+  KERBEROS_PA_SAM_REDIRECT =  21,
+  KERBEROS_PA_GET_FROM_TYPED_DATA =  22,
+  KERBEROS_TD_PADATA =  22,
+  KERBEROS_PA_SAM_ETYPE_INFO =  23,
+  KERBEROS_PA_ALT_PRINC =  24,
+  KERBEROS_PA_SERVER_REFERRAL =  25,
+  KERBEROS_PA_SAM_CHALLENGE2 =  30,
+  KERBEROS_PA_SAM_RESPONSE2 =  31,
+  KERBEROS_PA_EXTRA_TGT =  41,
+  KERBEROS_TD_PKINIT_CMS_CERTIFICATES = 101,
+  KERBEROS_TD_KRB_PRINCIPAL = 102,
+  KERBEROS_TD_KRB_REALM = 103,
+  KERBEROS_TD_TRUSTED_CERTIFIERS = 104,
+  KERBEROS_TD_CERTIFICATE_INDEX = 105,
+  KERBEROS_TD_APP_DEFINED_ERROR = 106,
+  KERBEROS_TD_REQ_NONCE = 107,
+  KERBEROS_TD_REQ_SEQ = 108,
+  KERBEROS_TD_DH_PARAMETERS = 109,
+  KERBEROS_TD_CMS_DIGEST_ALGORITHMS = 111,
+  KERBEROS_TD_CERT_DIGEST_ALGORITHMS = 112,
+  KERBEROS_PA_PAC_REQUEST = 128,
+  KERBEROS_PA_FOR_USER = 129,
+  KERBEROS_PA_FOR_X509_USER = 130,
+  KERBEROS_PA_FOR_CHECK_DUPS = 131,
+  KERBEROS_PA_AS_CHECKSUM = 132,
+  KERBEROS_PA_FX_COOKIE = 133,
+  KERBEROS_PA_AUTHENTICATION_SET = 134,
+  KERBEROS_PA_AUTH_SET_SELECTED = 135,
+  KERBEROS_PA_FX_FAST = 136,
+  KERBEROS_PA_FX_ERROR = 137,
+  KERBEROS_PA_ENCRYPTED_CHALLENGE = 138,
+  KERBEROS_PA_OTP_CHALLENGE = 141,
+  KERBEROS_PA_OTP_REQUEST = 142,
+  KERBEROS_PA_OTP_CONFIRM = 143,
+  KERBEROS_PA_OTP_PIN_CHANGE = 144,
+  KERBEROS_PA_EPAK_AS_REQ = 145,
+  KERBEROS_PA_EPAK_AS_REP = 146,
+  KERBEROS_PA_PKINIT_KX = 147,
+  KERBEROS_PA_PKU2U_NAME = 148,
+  KERBEROS_PA_REQ_ENC_PA_REP = 149,
+  KERBEROS_PA_SUPPORTED_ETYPES = 165,
+  KERBEROS_PA_EXTENDED_ERROR = 166,
+  KERBEROS_PA_PAC_OPTIONS = 167,
+  KERBEROS_PA_PROV_SRV_LOCATION =  -1
+} KERBEROS_PADATA_TYPE_enum;
+
+typedef enum _KERBEROS_KRBFASTARMORTYPES_enum {
+  KERBEROS_FX_FAST_RESERVED =   0,
+  KERBEROS_FX_FAST_ARMOR_AP_REQUEST =   1
+} KERBEROS_KRBFASTARMORTYPES_enum;
+
 /*--- End of included file: packet-kerberos-val.h ---*/
-#line 196 "./asn1/kerberos/packet-kerberos-template.c"
+#line 254 "./asn1/kerberos/packet-kerberos-template.c"
 
 static void
 call_kerberos_callbacks(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int tag, kerberos_callbacks *cb)
@@ -512,13 +697,41 @@ call_kerberos_callbacks(packet_info *pinfo, proto_tree *tree, tvbuff_t *tvb, int
        return;
 }
 
+static kerberos_private_data_t*
+kerberos_get_private_data_p(packet_info *pinfo)
+{
+       void *p = p_get_proto_data(pinfo->pool, pinfo, proto_kerberos, 0);
+       if (p == NULL) {
+               p = wmem_new0(pinfo->pool, kerberos_private_data_t);
+               p_add_proto_data(pinfo->pool, pinfo, proto_kerberos, 0, p);
+       }
+       return (kerberos_private_data_t *)(p);
+}
+
 static kerberos_private_data_t*
 kerberos_get_private_data(asn1_ctx_t *actx)
 {
-       if (!actx->private_data) {
-               actx->private_data = wmem_new0(wmem_packet_scope(), kerberos_private_data_t);
+       return kerberos_get_private_data_p(actx->pinfo);
+}
+
+gboolean
+kerberos_is_win2k_pkinit(asn1_ctx_t *actx)
+{
+       kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
+
+       return private_data->is_win2k_pkinit;
+}
+
+static gboolean
+kerberos_private_is_kdc_req(kerberos_private_data_t *private_data)
+{
+       switch (private_data->msg_type) {
+       case KERBEROS_APPLICATIONS_AS_REQ:
+       case KERBEROS_APPLICATIONS_TGS_REQ:
+               return TRUE;
        }
-       return (kerberos_private_data_t *)(actx->private_data);
+
+       return FALSE;
 }
 
 #ifdef HAVE_KERBEROS
@@ -581,12 +794,112 @@ add_encryption_key(packet_info *pinfo, int keytype, int keylength, const char *k
        /*XXX this needs to be freed later */
        new_key->keyvalue=(char *)g_memdup(keyvalue, keylength);
 }
+
+static void used_encryption_key(proto_tree *tree, packet_info *pinfo,
+                               enc_key_t *ek, int usage, tvbuff_t *cryptotvb)
+{
+       kerberos_private_data_t *private_data = kerberos_get_private_data_p(pinfo);
+
+       proto_tree_add_expert_format(tree, pinfo, &ei_kerberos_decrypted_keytype,
+                                    cryptotvb, 0, 0,
+                                    "Decrypted keytype %d usage %d in frame %u "
+                                    "using %s (%02x%02x%02x%02x...)",
+                                    ek->keytype, usage, pinfo->fd->num, ek->key_origin,
+                                    ek->keyvalue[0] & 0xFF, ek->keyvalue[1] & 0xFF,
+                                    ek->keyvalue[2] & 0xFF, ek->keyvalue[3] & 0xFF);
+
+       private_data->last_decryption_key = ek;
+}
+
+static void used_signing_key(proto_tree *tree, packet_info *pinfo,
+                            enc_key_t *ek, tvbuff_t *tvb,
+                            krb5_cksumtype checksum,
+                            const char *reason)
+{
+       proto_tree_add_expert_format(tree, pinfo, &ei_kerberos_decrypted_keytype,
+                                    tvb, 0, 0,
+                                    "%s checksum %d keytype %d in frame %u "
+                                    "using %s (%02x%02x%02x%02x...)",
+                                    reason, checksum, ek->keytype, pinfo->fd->num, ek->key_origin,
+                                    ek->keyvalue[0] & 0xFF, ek->keyvalue[1] & 0xFF,
+                                    ek->keyvalue[2] & 0xFF, ek->keyvalue[3] & 0xFF);
+}
+
+static void
+krb5_fast_key(packet_info *pinfo,
+             const enc_key_t *ek1, const char *p1,
+             const enc_key_t *ek2, const char *p2,
+             const char *origin);
+
+static void
+krb5_fast_armor_key(packet_info *pinfo,
+                   const enc_key_t *remote_subkey,
+                   const enc_key_t *ticket_sessionkey)
+{
+       kerberos_private_data_t *private_data = kerberos_get_private_data_p(pinfo);
+
+       krb5_fast_key(pinfo,
+                     remote_subkey,
+                     "subkeyarmor",
+                     ticket_sessionkey,
+                     "ticketarmor",
+                     "armorkey");
+
+       private_data->fast_armor_key = enc_key_list;
+}
+
 #endif /* HAVE_HEIMDAL_KERBEROS || HAVE_MIT_KERBEROS */
 
 #if defined(HAVE_MIT_KERBEROS)
 
 static krb5_context krb5_ctx;
 
+static void
+krb5_fast_key(packet_info *pinfo,
+             const enc_key_t *ek1, const char *p1,
+             const enc_key_t *ek2, const char *p2,
+             const char *origin)
+{
+#ifdef HAVE_KRB5_C_FX_CF2_SIMPLE
+       krb5_error_code ret;
+       krb5_keyblock k1;
+       krb5_keyblock k2;
+       krb5_keyblock *k = NULL;
+
+       if (!krb_decrypt) {
+               return;
+       }
+
+       if (ek1 == NULL) {
+               return;
+       }
+
+       if (ek2 == NULL) {
+               return;
+       }
+
+       k1.magic = KV5M_KEYBLOCK;
+       k1.enctype = ek1->keytype;
+       k1.length = ek1->keylength;
+       k1.contents = (guint8 *)ek1->keyvalue;
+
+       k2.magic = KV5M_KEYBLOCK;
+       k2.enctype = ek2->keytype;
+       k2.length = ek2->keylength;
+       k2.contents = (guint8 *)ek2->keyvalue;
+
+       ret = krb5_c_fx_cf2_simple(krb5_ctx, &k1, p1, &k2, p2, &k);
+       if (ret != 0) {
+               return;
+       }
+
+       add_encryption_key(pinfo, k->enctype, k->length,
+                          (const char *)k->contents, origin);
+
+       krb5_free_keyblock(krb5_ctx, k);
+#endif
+}
+
 USES_APPLE_DEPRECATED_API
 void
 read_keytab_file(const char *filename)
@@ -675,6 +988,11 @@ decrypt_krb5_data(proto_tree *tree _U_, packet_info *pinfo,
                                        int keytype,
                                        int *datalen)
 {
+       kerberos_private_data_t *private_data = kerberos_get_private_data_p(pinfo);
+#ifdef HAVE_KRB5_C_FX_CF2_SIMPLE
+       const enc_key_t *ak = private_data->fast_armor_key;
+       const enc_key_t *sk = private_data->fast_strengthen_key;
+#endif
        krb5_error_code ret;
        enc_key_t *ek;
        krb5_data data = {0,0,NULL};
@@ -708,6 +1026,109 @@ decrypt_krb5_data(proto_tree *tree _U_, packet_info *pinfo,
                input.ciphertext.length = length;
                input.ciphertext.data = (guint8 *)cryptotext;
 
+#ifdef HAVE_KRB5_C_FX_CF2_SIMPLE
+               if (ak == ek) {
+                       continue;
+               }
+
+               if (ak != NULL && ak != ek && ak->keytype == ek->keytype) {
+                       krb5_keyblock k1;
+                       krb5_keyblock k2;
+                       krb5_keyblock *k = NULL;
+                       const char *p1 = NULL;
+
+                       k1.magic = KV5M_KEYBLOCK;
+                       k1.enctype = ak->keytype;
+                       k1.length = ak->keylength;
+                       k1.contents = (guint8 *)ak->keyvalue;
+
+                       k2.magic = KV5M_KEYBLOCK;
+                       k2.enctype = ek->keytype;
+                       k2.length = ek->keylength;
+                       k2.contents = (guint8 *)ek->keyvalue;
+
+                       if (kerberos_private_is_kdc_req(private_data)) {
+                               p1 = "clientchallengearmor";
+                       } else {
+                               p1 = "kdcchallengearmor";
+                       }
+
+                       ret = krb5_c_fx_cf2_simple(krb5_ctx,
+                                                  &k1, p1,
+                                                  &k2, "challengelongterm",
+                                                  &k);
+                       if (ret != 0) {
+                               continue;
+                       }
+
+                       ret = krb5_c_decrypt(krb5_ctx, k, usage, 0, &input, &data);
+                       if(ret == 0) {
+                               char *user_data;
+
+                               add_encryption_key(pinfo, k->enctype, k->length,
+                                                  (const char *)k->contents,
+                                                  p1);
+                               krb5_free_keyblock(krb5_ctx, k);
+                               ek = enc_key_list;
+                               used_encryption_key(tree, pinfo, ek, usage, cryptotvb);
+
+                               /* return a private g_malloced blob to the caller */
+                               user_data=data.data;
+                               if (datalen) {
+                                       *datalen = data.length;
+                               }
+                               return user_data;
+                       }
+
+                       krb5_free_keyblock(krb5_ctx, k);
+               }
+
+               if (sk != NULL && sk != ek && sk->keytype == ek->keytype) {
+                       krb5_keyblock k1;
+                       krb5_keyblock k2;
+                       krb5_keyblock *k = NULL;
+
+                       k1.magic = KV5M_KEYBLOCK;
+                       k1.enctype = sk->keytype;
+                       k1.length = sk->keylength;
+                       k1.contents = (guint8 *)sk->keyvalue;
+
+                       k2.magic = KV5M_KEYBLOCK;
+                       k2.enctype = ek->keytype;
+                       k2.length = ek->keylength;
+                       k2.contents = (guint8 *)ek->keyvalue;
+
+                       ret = krb5_c_fx_cf2_simple(krb5_ctx,
+                                                  &k1, "strengthenkey",
+                                                  &k2, "replykey",
+                                                  &k);
+                       if (ret != 0) {
+                               continue;
+                       }
+
+                       ret = krb5_c_decrypt(krb5_ctx, k, usage, 0, &input, &data);
+                       if(ret == 0) {
+                               char *user_data;
+
+                               add_encryption_key(pinfo, k->enctype, k->length,
+                                                  (const char *)k->contents,
+                                                  "strengthenkey");
+                               krb5_free_keyblock(krb5_ctx, k);
+                               ek = enc_key_list;
+                               used_encryption_key(tree, pinfo, ek, usage, cryptotvb);
+
+                               /* return a private g_malloced blob to the caller */
+                               user_data=data.data;
+                               if (datalen) {
+                                       *datalen = data.length;
+                               }
+                               return user_data;
+                       }
+
+                       krb5_free_keyblock(krb5_ctx, k);
+               }
+#endif
+
                key.key.enctype=ek->keytype;
                key.key.length=ek->keylength;
                key.key.contents=ek->keyvalue;
@@ -715,9 +1136,7 @@ decrypt_krb5_data(proto_tree *tree _U_, packet_info *pinfo,
                if(ret == 0){
                        char *user_data;
 
-                       expert_add_info_format(pinfo, NULL, &ei_kerberos_decrypted_keytype,
-                                                                  "Decrypted keytype %d in frame %u using %s",
-                                                                  ek->keytype, pinfo->num, ek->key_origin);
+                       used_encryption_key(tree, pinfo, ek, usage, cryptotvb);
 
                        user_data=data.data;
                        if (datalen) {
@@ -731,10 +1150,116 @@ decrypt_krb5_data(proto_tree *tree _U_, packet_info *pinfo,
 }
 USES_APPLE_RST
 
+extern krb5_error_code
+krb5int_c_mandatory_cksumtype(krb5_context, krb5_enctype, krb5_cksumtype *);
+
+static void
+verify_krb5_pac(proto_tree *tree _U_, asn1_ctx_t *actx, tvbuff_t *pactvb)
+{
+       krb5_error_code ret;
+       enc_key_t *ek = NULL;;
+       krb5_data checksum_data = {0,0,NULL};
+       krb5_cksumtype server_checksum = 0;
+       krb5_cksumtype kdc_checksum = 0;
+       int length = tvb_captured_length(pactvb);
+       const guint8 *pacbuffer = NULL;
+       krb5_pac pac;
+
+       /* don't do anything if we are not attempting to decrypt data */
+       if(!krb_decrypt || length < 1){
+               return;
+       }
+
+       /* make sure we have all the data we need */
+       if (tvb_captured_length(pactvb) < tvb_reported_length(pactvb)) {
+               return;
+       }
+
+       pacbuffer = tvb_get_ptr(pactvb, 0, length);
+
+       ret = krb5_pac_parse(krb5_ctx, pacbuffer, length, &pac);
+       if (ret != 0) {
+               proto_tree_add_expert_format(tree, actx->pinfo, &ei_kerberos_decrypted_keytype,
+                                            pactvb, 0, 0,
+                                            "Failed to parse PAC buffer %d in frame %u",
+                                            ret, actx->pinfo->fd->num);
+               return;
+       }
+
+       ret = krb5_pac_get_buffer(krb5_ctx, pac, KRB5_PAC_SERVER_CHECKSUM,
+                                 &checksum_data);
+       if (ret == 0) {
+               server_checksum = pletoh32(checksum_data.data);
+               krb5_free_data_contents(krb5_ctx, &checksum_data);
+       };
+       ret = krb5_pac_get_buffer(krb5_ctx, pac, KRB5_PAC_PRIVSVR_CHECKSUM,
+                                 &checksum_data);
+       if (ret == 0) {
+               kdc_checksum = pletoh32(checksum_data.data);
+               krb5_free_data_contents(krb5_ctx, &checksum_data);
+       };
+
+       read_keytab_file_from_preferences();
+
+       for(ek=enc_key_list;ek;ek=ek->next){
+               krb5_keyblock keyblock;
+               krb5_cksumtype checksumtype = 0;
+
+               if (server_checksum == 0 && kdc_checksum == 0) {
+                       break;
+               }
+
+               ret = krb5int_c_mandatory_cksumtype(krb5_ctx, ek->keytype,
+                                                   &checksumtype);
+               if (ret != 0) {
+                       continue;
+               }
+
+               keyblock.magic = KV5M_KEYBLOCK;
+               keyblock.enctype = ek->keytype;
+               keyblock.length = ek->keylength;
+               keyblock.contents = (guint8 *)ek->keyvalue;
+
+               if (checksumtype == server_checksum) {
+                       ret = krb5_pac_verify(krb5_ctx, pac, 0, NULL,
+                                             &keyblock, NULL);
+                       if (ret == 0) {
+                               used_signing_key(tree, actx->pinfo, ek, pactvb,
+                                                server_checksum, "Verified Server");
+                               server_checksum = 0;
+                       }
+               }
+
+               if (checksumtype == kdc_checksum) {
+                       ret = krb5_pac_verify(krb5_ctx, pac, 0, NULL,
+                                             NULL, &keyblock);
+                       if (ret == 0) {
+                               used_signing_key(tree, actx->pinfo, ek, pactvb,
+                                                kdc_checksum, "Verified KDC");
+                               kdc_checksum = 0;
+                       }
+               }
+
+       }
+
+       krb5_pac_free(krb5_ctx, pac);
+}
+
 #elif defined(HAVE_HEIMDAL_KERBEROS)
 static krb5_context krb5_ctx;
 
 USES_APPLE_DEPRECATED_API
+
+static void
+krb5_fast_key(packet_info *pinfo,
+             const enc_key_t *ek1, const char *p1,
+             const enc_key_t *ek2, const char *p2,
+             const char *origin)
+{
+#ifdef HAVE_KRB5_CRYPTO_FX_CF2
+/* TODO */
+#endif
+}
 void
 read_keytab_file(const char *filename)
 {
@@ -874,9 +1399,10 @@ decrypt_krb5_data(proto_tree *tree _U_, packet_info *pinfo,
                if((ret == 0) && (length>0)){
                        char *user_data;
 
-                       expert_add_info_format(pinfo, NULL, &ei_kerberos_decrypted_keytype,
-                                                                  "Decrypted keytype %d in frame %u using %s",
-                                                                  ek->keytype, pinfo->num, ek->key_origin);
+                       proto_tree_add_expert_format(tree, pinfo, &ei_kerberos_decrypted_keytype,
+                                                    NULL, 0, 0,
+                                                    "Decrypted keytype %d in frame %u using %s",
+                                                    ek->keytype, pinfo->num, ek->key_origin);
 
                        krb5_crypto_destroy(krb5_ctx, crypto);
                        /* return a private wmem_alloced blob to the caller */
@@ -1132,58 +1658,6 @@ decrypt_krb5_data(proto_tree *tree, packet_info *pinfo,
  * unless it's expired.
  */
 
-/* pre-authentication type constants */
-#define KRB5_PA_TGS_REQ                        1
-#define KRB5_PA_ENC_TIMESTAMP          2
-#define KRB5_PA_PW_SALT                        3
-#define KRB5_PA_ENC_ENCKEY             4
-#define KRB5_PA_ENC_UNIX_TIME          5
-#define KRB5_PA_ENC_SANDIA_SECURID     6
-#define KRB5_PA_SESAME                 7
-#define KRB5_PA_OSF_DCE                        8
-#define KRB5_PA_CYBERSAFE_SECUREID     9
-#define KRB5_PA_AFS3_SALT              10
-#define KRB5_PA_ENCTYPE_INFO           11
-#define KRB5_PA_SAM_CHALLENGE          12
-#define KRB5_PA_SAM_RESPONSE           13
-#define KRB5_PA_PK_AS_REQ              14
-#define KRB5_PA_PK_AS_REP              15
-#define KRB5_PA_DASS                   16
-#define KRB5_PA_PK_AS_REP_17           17
-#define KRB5_PA_ENCTYPE_INFO2          19
-#define KRB5_PA_USE_SPECIFIED_KVNO     20
-#define KRB5_PA_SAM_REDIRECT           21
-#define KRB5_PA_GET_FROM_TYPED_DATA    22
-#define KRB5_PA_SAM_ETYPE_INFO         23
-#define KRB5_PA_ALT_PRINC              24
-#define KRB5_PA_SAM_CHALLENGE2         30
-#define KRB5_PA_SAM_RESPONSE2          31
-#define KRB5_TD_PKINIT_CMS_CERTIFICATES        101
-#define KRB5_TD_KRB_PRINCIPAL          102
-#define KRB5_TD_KRB_REALM              103
-#define KRB5_TD_TRUSTED_CERTIFIERS     104
-#define KRB5_TD_CERTIFICATE_INDEX      105
-#define KRB5_TD_APP_DEFINED_ERROR      106
-#define KRB5_TD_REQ_NONCE              107
-#define KRB5_TD_REQ_SEQ                        108
-/* preauthentication types >127 (i.e. negative ones) are app specific.
-   however since Microsoft is the dominant(only?) user of types in this range
-   we also treat the type as unsigned.
-*/
-#define KRB5_PA_PAC_REQUEST            128    /* (Microsoft extension) */
-#define KRB5_PA_FOR_USER               129    /* Impersonation (Microsoft extension) See [MS-SFU]. XXX - replaced by KRB5_PA_S4U2SELF */
-#define KRB5_PA_S4U2SELF               129
-#define KRB5_PADATA_S4U_X509_USER      130 /* certificate protocol transition request */
-#define KRB5_PADATA_FX_COOKIE  133
-#define KRB5_PA_AUTHENTICATION_SET 134
-#define KRB5_PADATA_FX_FAST            136
-#define KRB5_PADATA_FX_ERROR   137
-#define KRB5_PADATA_ENCRYPTED_CHALLENGE        138
-#define KRB5_PADATA_PKINIT_KX  147
-#define KRB5_ENCPADATA_REQ_ENC_PA_REP  149
-
-
-#define KRB5_PA_PROV_SRV_LOCATION 0xffffffff    /* (gint32)0xFF) packetcable stuff */
 /* Principal name-type */
 #define KRB5_NT_UNKNOWN                0
 #define KRB5_NT_PRINCIPAL      1
@@ -1277,6 +1751,10 @@ decrypt_krb5_data(proto_tree *tree, packet_info *pinfo,
 #define KRB5_ET_KDC_ERR_REVOCATION_STATUS_UNAVAILABLE  74
 #define KRB5_ET_KDC_ERR_CLIENT_NAME_MISMATCH           75
 #define KRB5_ET_KDC_ERR_KDC_NAME_MISMATCH              76
+#define KRB5_ET_KDC_ERR_PREAUTH_EXPIRED                        90
+#define KRB5_ET_KDC_ERR_MORE_PREAUTH_DATA_REQUIRED     91
+#define KRB5_ET_KDC_ERR_PREAUTH_BAD_AUTHENTICATION_SET 92
+#define KRB5_ET_KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTIONS  93
 
 static const value_string krb5_error_codes[] = {
        { KRB5_ET_KRB5KDC_ERR_NONE, "KRB5KDC_ERR_NONE" },
@@ -1348,6 +1826,10 @@ static const value_string krb5_error_codes[] = {
        { KRB5_ET_KDC_ERR_REVOCATION_STATUS_UNAVAILABLE, "KDC_ERR_REVOCATION_STATUS_UNAVAILABLE" },
        { KRB5_ET_KDC_ERR_CLIENT_NAME_MISMATCH, "KDC_ERR_CLIENT_NAME_MISMATCH" },
        { KRB5_ET_KDC_ERR_KDC_NAME_MISMATCH, "KDC_ERR_KDC_NAME_MISMATCH" },
+       { KRB5_ET_KDC_ERR_PREAUTH_EXPIRED, "KDC_ERR_PREAUTH_EXPIRED" },
+       { KRB5_ET_KDC_ERR_MORE_PREAUTH_DATA_REQUIRED, "KDC_ERR_MORE_PREAUTH_DATA_REQUIRED" },
+       { KRB5_ET_KDC_ERR_PREAUTH_BAD_AUTHENTICATION_SET, "KDC_ERR_PREAUTH_BAD_AUTHENTICATION_SET" },
+       { KRB5_ET_KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTIONS, "KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTIONS" },
        { 0, NULL }
 };
 
@@ -1358,124 +1840,24 @@ static const value_string krb5_error_codes[] = {
 #define PAC_PRIVSVR_CHECKSUM   7
 #define PAC_CLIENT_INFO_TYPE   10
 #define PAC_S4U_DELEGATION_INFO        11
-#define PAC_UPN_DNS_INFO               12
+#define PAC_UPN_DNS_INFO       12
+#define PAC_CLIENT_CLAIMS_INFO 13
+#define PAC_DEVICE_INFO                14
+#define PAC_DEVICE_CLAIMS_INFO 15
 static const value_string w2k_pac_types[] = {
        { PAC_LOGON_INFO                , "Logon Info" },
-       { PAC_CREDENTIAL_TYPE   , "Credential Type" },
-       { PAC_SERVER_CHECKSUM   , "Server Checksum" },
-       { PAC_PRIVSVR_CHECKSUM  , "Privsvr Checksum" },
-       { PAC_CLIENT_INFO_TYPE  , "Client Info Type" },
-       { PAC_S4U_DELEGATION_INFO, "S4U Delegation Info" },
+       { PAC_CREDENTIAL_TYPE           , "Credential Type" },
+       { PAC_SERVER_CHECKSUM           , "Server Checksum" },
+       { PAC_PRIVSVR_CHECKSUM          , "Privsvr Checksum" },
+       { PAC_CLIENT_INFO_TYPE          , "Client Info Type" },
+       { PAC_S4U_DELEGATION_INFO       , "S4U Delegation Info" },
        { PAC_UPN_DNS_INFO              , "UPN DNS Info" },
+       { PAC_CLIENT_CLAIMS_INFO        , "Client Claims Info" },
+       { PAC_DEVICE_INFO               , "Device Info" },
+       { PAC_DEVICE_CLAIMS_INFO        , "Device Claims Info" },
        { 0, NULL },
 };
 
-#if 0
-static const value_string krb5_princ_types[] = {
-       { KRB5_NT_UNKNOWN              , "Unknown" },
-       { KRB5_NT_PRINCIPAL            , "Principal" },
-       { KRB5_NT_SRV_INST             , "Service and Instance" },
-       { KRB5_NT_SRV_HST              , "Service and Host" },
-       { KRB5_NT_SRV_XHST             , "Service and Host Components" },
-       { KRB5_NT_UID                  , "Unique ID" },
-       { KRB5_NT_X500_PRINCIPAL       , "Encoded X.509 Distinguished Name" },
-       { KRB5_NT_SMTP_NAME            , "SMTP Name" },
-       { KRB5_NT_ENTERPRISE           , "Enterprise Name" },
-       { KRB5_NT_MS_PRINCIPAL         , "NT 4.0 style name (MS specific)" },
-       { KRB5_NT_MS_PRINCIPAL_AND_SID , "NT 4.0 style name with SID (MS specific)"},
-       { KRB5_NT_ENT_PRINCIPAL_AND_SID, "UPN and SID (MS specific)"},
-       { KRB5_NT_PRINCIPAL_AND_SID    , "Principal name and SID (MS specific)"},
-       { KRB5_NT_SRV_INST_AND_SID     , "SPN and SID (MS specific)"},
-       { 0                            , NULL },
-};
-#endif
-
-static const value_string krb5_preauthentication_types[] = {
-       { KRB5_PA_TGS_REQ              , "PA-TGS-REQ" },
-       { KRB5_PA_ENC_TIMESTAMP        , "PA-ENC-TIMESTAMP" },
-       { KRB5_PA_PW_SALT              , "PA-PW-SALT" },
-       { KRB5_PA_ENC_ENCKEY           , "PA-ENC-ENCKEY" },
-       { KRB5_PA_ENC_UNIX_TIME        , "PA-ENC-UNIX-TIME" },
-       { KRB5_PA_ENC_SANDIA_SECURID   , "PA-PW-SALT" },
-       { KRB5_PA_SESAME               , "PA-SESAME" },
-       { KRB5_PA_OSF_DCE              , "PA-OSF-DCE" },
-       { KRB5_PA_CYBERSAFE_SECUREID   , "PA-CYBERSAFE-SECURID" },
-       { KRB5_PA_AFS3_SALT            , "PA-AFS3-SALT" },
-       { KRB5_PA_ENCTYPE_INFO         , "PA-ENCTYPE-INFO" },
-       { KRB5_PA_ENCTYPE_INFO2         , "PA-ENCTYPE-INFO2" },
-       { KRB5_PA_SAM_CHALLENGE        , "PA-SAM-CHALLENGE" },
-       { KRB5_PA_SAM_RESPONSE         , "PA-SAM-RESPONSE" },
-       { KRB5_PA_PK_AS_REQ            , "PA-PK-AS-REQ" },
-       { KRB5_PA_PK_AS_REP            , "PA-PK-AS-REP" },
-       { KRB5_PA_DASS                 , "PA-DASS" },
-       { KRB5_PA_PK_AS_REP_17         , "PA-PK-AS-REP-17" },
-       { KRB5_PA_USE_SPECIFIED_KVNO   , "PA-USE-SPECIFIED-KVNO" },
-       { KRB5_PA_SAM_REDIRECT         , "PA-SAM-REDIRECT" },
-       { KRB5_PA_GET_FROM_TYPED_DATA  , "PA-GET-FROM-TYPED-DATA" },
-       { KRB5_PA_SAM_ETYPE_INFO       , "PA-SAM-ETYPE-INFO" },
-       { KRB5_PA_ALT_PRINC            , "PA-ALT-PRINC" },
-       { KRB5_PA_SAM_CHALLENGE2       , "PA-SAM-CHALLENGE2" },
-       { KRB5_PA_SAM_RESPONSE2        , "PA-SAM-RESPONSE2" },
-       { KRB5_TD_PKINIT_CMS_CERTIFICATES, "TD-PKINIT-CMS-CERTIFICATES" },
-       { KRB5_TD_KRB_PRINCIPAL        , "TD-KRB-PRINCIPAL" },
-       { KRB5_TD_KRB_REALM , "TD-KRB-REALM" },
-       { KRB5_TD_TRUSTED_CERTIFIERS   , "TD-TRUSTED-CERTIFIERS" },
-       { KRB5_TD_CERTIFICATE_INDEX    , "TD-CERTIFICATE-INDEX" },
-       { KRB5_TD_APP_DEFINED_ERROR    , "TD-APP-DEFINED-ERROR" },
-       { KRB5_TD_REQ_NONCE            , "TD-REQ-NONCE" },
-       { KRB5_TD_REQ_SEQ              , "TD-REQ-SEQ" },
-       { KRB5_PA_PAC_REQUEST          , "PA-PAC-REQUEST" },
-       { KRB5_PA_FOR_USER             , "PA-FOR-USER" },
-       { KRB5_PADATA_S4U_X509_USER    , "PA-S4U-X509-USER" },
-       { KRB5_PADATA_FX_COOKIE        , "PA-FX-COOKIE" },
-       { KRB5_PA_AUTHENTICATION_SET   , "KRB5-PA-AUTHENTICATION-SET" },
-
-       { KRB5_PADATA_FX_FAST          , "PA-FX-FAST" },
-       { KRB5_PADATA_FX_ERROR         , "PA-FX-ERROR" },
-       { KRB5_PADATA_ENCRYPTED_CHALLENGE , "PA-ENCRYPTED-CHALLENGE" },
-       { KRB5_PADATA_PKINIT_KX        , "PA-PKINIT-KX" },
-       { KRB5_ENCPADATA_REQ_ENC_PA_REP , "PA-REQ-ENC-PA-REP" },
-       { KRB5_PA_PROV_SRV_LOCATION    , "PA-PROV-SRV-LOCATION" },
-       { 0                            , NULL },
-};
-
-#define KRB5_AD_IF_RELEVANT                    1
-#define KRB5_AD_INTENDED_FOR_SERVER            2
-#define KRB5_AD_INTENDED_FOR_APPLICATION_CLASS 3
-#define KRB5_AD_KDC_ISSUED                     4
-#define KRB5_AD_OR                             5
-#define KRB5_AD_MANDATORY_TICKET_EXTENSIONS    6
-#define KRB5_AD_IN_TICKET_EXTENSIONS           7
-#define KRB5_AD_MANDATORY_FOR_KDC              8
-#define KRB5_AD_OSF_DCE                                64
-#define KRB5_AD_SESAME                         65
-#define KRB5_AD_OSF_DCE_PKI_CERTID             66
-#define KRB5_AD_WIN2K_PAC                              128
-#define KRB5_AD_SIGNTICKET                     0xffffffef
-
-static const value_string krb5_ad_types[] = {
-       { KRB5_AD_IF_RELEVANT                   , "AD-IF-RELEVANT" },
-       { KRB5_AD_INTENDED_FOR_SERVER           , "AD-Intended-For-Server" },
-       { KRB5_AD_INTENDED_FOR_APPLICATION_CLASS        , "AD-Intended-For-Application-Class" },
-       { KRB5_AD_KDC_ISSUED                    , "AD-KDCIssued" },
-       { KRB5_AD_OR                            , "AD-AND-OR" },
-       { KRB5_AD_MANDATORY_TICKET_EXTENSIONS   , "AD-Mandatory-Ticket-Extensions" },
-       { KRB5_AD_IN_TICKET_EXTENSIONS          , "AD-IN-Ticket-Extensions" },
-       { KRB5_AD_MANDATORY_FOR_KDC                     , "AD-MANDATORY-FOR-KDC" },
-       { KRB5_AD_OSF_DCE                               , "AD-OSF-DCE" },
-       { KRB5_AD_SESAME                                , "AD-SESAME" },
-       { KRB5_AD_OSF_DCE_PKI_CERTID            , "AD-OSF-DCE-PKI-CertID" },
-       { KRB5_AD_WIN2K_PAC                             , "AD-Win2k-PAC" },
-       { KRB5_AD_SIGNTICKET                    , "AD-SignTicket" },
-       { 0     , NULL },
-};
-#if 0
-static const value_string krb5_transited_types[] = {
-       { 1                           , "DOMAIN-X500-COMPRESS" },
-       { 0                           , NULL }
-};
-#endif
-
 static const value_string krb5_msg_types[] = {
        { KRB5_MSG_TICKET,              "Ticket" },
        { KRB5_MSG_AUTHENTICATOR,       "Authenticator" },
@@ -1603,6 +1985,42 @@ dissect_krb5_decrypt_authenticator_data (gboolean imp_tag _U_, tvbuff_t *tvb, in
        return offset;
 }
 
+static int
+dissect_krb5_decrypt_authorization_data(gboolean imp_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx,
+                                       proto_tree *tree, int hf_index _U_)
+{
+       guint8 *plaintext;
+       int length;
+       kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
+       tvbuff_t *next_tvb;
+
+       next_tvb=tvb_new_subset_remaining(tvb, offset);
+       length=tvb_captured_length_remaining(tvb, offset);
+
+       /* draft-ietf-krb-wg-kerberos-clarifications-05.txt :
+        * 7.5.1
+        * Authenticators are encrypted with usage
+        * == 5 or
+        * == 4
+        */
+       plaintext=decrypt_krb5_data(tree, actx->pinfo, 5, next_tvb, private_data->etype, NULL);
+
+       if(!plaintext){
+               plaintext=decrypt_krb5_data(tree, actx->pinfo, 4, next_tvb, private_data->etype, NULL);
+       }
+
+       if(plaintext){
+               tvbuff_t *child_tvb;
+               child_tvb = tvb_new_child_real_data(tvb, plaintext, length, length);
+
+               /* Add the decrypted data to the data source list. */
+               add_new_data_source(actx->pinfo, child_tvb, "Decrypted Krb5");
+
+               offset=dissect_kerberos_AuthorizationData(FALSE, child_tvb, 0, actx , tree, /* hf_index*/ -1);
+       }
+       return offset;
+}
+
 static int
 dissect_krb5_decrypt_KDC_REP_data (gboolean imp_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx,
                                                                        proto_tree *tree, int hf_index _U_)
@@ -1670,7 +2088,7 @@ dissect_krb5_decrypt_PA_ENC_TIMESTAMP (gboolean imp_tag _U_, tvbuff_t *tvb, int
                /* Add the decrypted data to the data source list. */
                add_new_data_source(actx->pinfo, child_tvb, "Decrypted Krb5");
 
-               offset=dissect_kerberos_Applications(FALSE, child_tvb, 0, actx , tree, /* hf_index*/ -1);
+               offset=dissect_kerberos_PA_ENC_TS_ENC(FALSE, child_tvb, 0, actx , tree, /* hf_index*/ -1);
        }
        return offset;
 }
@@ -1764,86 +2182,281 @@ dissect_krb5_decrypt_CRED_data (gboolean imp_tag _U_, tvbuff_t *tvb, int offset,
        }
        return offset;
 }
-#endif
 
-/* Dissect a GSSAPI checksum as per RFC1964. This is NOT ASN.1 encoded.
- */
 static int
-dissect_krb5_rfc1964_checksum(asn1_ctx_t *actx _U_, proto_tree *tree, tvbuff_t *tvb)
+dissect_krb5_decrypt_KrbFastReq(gboolean imp_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx,
+                               proto_tree *tree, int hf_index _U_)
 {
-       int offset=0;
-       guint32 len;
-       guint16 dlglen;
-
-       /* Length of Bnd field */
-       len=tvb_get_letohl(tvb, offset);
-       proto_tree_add_item(tree, hf_krb_gssapi_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
-       offset += 4;
-
-       /* Bnd field */
-       proto_tree_add_item(tree, hf_krb_gssapi_bnd, tvb, offset, len, ENC_NA);
-       offset += len;
+       guint8 *plaintext;
+       int length;
+       kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
+       tvbuff_t *next_tvb;
 
+       next_tvb=tvb_new_subset_remaining(tvb, offset);
+       length=tvb_captured_length_remaining(tvb, offset);
 
-       /* flags */
-       proto_tree_add_item(tree, hf_krb_gssapi_c_flag_dce_style, tvb, offset, 4, ENC_LITTLE_ENDIAN);
-       proto_tree_add_item(tree, hf_krb_gssapi_c_flag_integ, tvb, offset, 4, ENC_LITTLE_ENDIAN);
-       proto_tree_add_item(tree, hf_krb_gssapi_c_flag_conf, tvb, offset, 4, ENC_LITTLE_ENDIAN);
-       proto_tree_add_item(tree, hf_krb_gssapi_c_flag_sequence, tvb, offset, 4, ENC_LITTLE_ENDIAN);
-       proto_tree_add_item(tree, hf_krb_gssapi_c_flag_replay, tvb, offset, 4, ENC_LITTLE_ENDIAN);
-       proto_tree_add_item(tree, hf_krb_gssapi_c_flag_mutual, tvb, offset, 4, ENC_LITTLE_ENDIAN);
-       proto_tree_add_item(tree, hf_krb_gssapi_c_flag_deleg, tvb, offset, 4, ENC_LITTLE_ENDIAN);
-       offset += 4;
+       /* RFC6113 :
+        * KrbFastResponse encrypted with usage
+        * KEY_USAGE_FAST_ENC 51
+        */
+       plaintext=decrypt_krb5_data(tree, actx->pinfo, KEY_USAGE_FAST_ENC,
+                                   next_tvb, private_data->etype, NULL);
 
-       /* the next fields are optional so we have to check that we have
-        * more data in our buffers */
-       if(tvb_reported_length_remaining(tvb, offset)<2){
-               return offset;
-       }
-       /* dlgopt identifier */
-       proto_tree_add_item(tree, hf_krb_gssapi_dlgopt, tvb, offset, 2, ENC_LITTLE_ENDIAN);
-       offset += 2;
+       if(plaintext){
+               tvbuff_t *child_tvb;
+               child_tvb = tvb_new_child_real_data(tvb, plaintext, length, length);
 
-       if(tvb_reported_length_remaining(tvb, offset)<2){
-               return offset;
-       }
-       /* dlglen identifier */
-       dlglen=tvb_get_letohs(tvb, offset);
-       proto_tree_add_item(tree, hf_krb_gssapi_dlglen, tvb, offset, 2, ENC_LITTLE_ENDIAN);
-       offset += 2;
+               /* Add the decrypted data to the data source list. */
+               add_new_data_source(actx->pinfo, child_tvb, "Decrypted Krb5");
 
-       if(dlglen!=tvb_reported_length_remaining(tvb, offset)){
-               proto_tree_add_expert_format(tree, actx->pinfo, &ei_krb_gssapi_dlglen, tvb, 0, 0,
-                               "Error: DlgLen:%d is not the same as number of bytes remaining:%d", dlglen, tvb_captured_length_remaining(tvb, offset));
-               return offset;
+               offset=dissect_kerberos_KrbFastReq(FALSE, child_tvb, 0, actx , tree, /* hf_index*/ -1);
        }
-
-       /* this should now be a KRB_CRED message */
-       offset=dissect_kerberos_Applications(FALSE, tvb, offset, actx, tree, /* hf_index */ -1);
-
        return offset;
 }
 
 static int
-dissect_krb5_PA_PROV_SRV_LOCATION(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_)
+dissect_krb5_decrypt_KrbFastResponse(gboolean imp_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx,
+                                    proto_tree *tree, int hf_index _U_)
 {
-       offset=dissect_ber_GeneralString(actx, tree, tvb, offset, hf_krb_provsrv_location, NULL, 0);
+       guint8 *plaintext;
+       int length;
+       kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
+       tvbuff_t *next_tvb;
+
+       next_tvb=tvb_new_subset_remaining(tvb, offset);
+       length=tvb_captured_length_remaining(tvb, offset);
 
+       /*
+        * RFC6113 :
+        * KrbFastResponse encrypted with usage
+        * KEY_USAGE_FAST_REP 52
+        */
+       plaintext=decrypt_krb5_data(tree, actx->pinfo, KEY_USAGE_FAST_REP,
+                                   next_tvb, private_data->etype, NULL);
+
+       if(plaintext){
+               tvbuff_t *child_tvb;
+               child_tvb = tvb_new_child_real_data(tvb, plaintext, length, length);
+
+               /* Add the decrypted data to the data source list. */
+               add_new_data_source(actx->pinfo, child_tvb, "Decrypted Krb5");
+
+               private_data->fast_armor_key = private_data->last_decryption_key;
+               offset=dissect_kerberos_KrbFastResponse(FALSE, child_tvb, 0, actx , tree, /* hf_index*/ -1);
+       }
        return offset;
 }
 
 static int
-dissect_krb5_PW_SALT(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_)
+dissect_krb5_decrypt_EncryptedChallenge(gboolean imp_tag _U_, tvbuff_t *tvb, int offset, asn1_ctx_t *actx,
+                                       proto_tree *tree, int hf_index _U_)
 {
-       guint32 nt_status;
+       guint8 *plaintext;
+       int length;
+       kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
+       tvbuff_t *next_tvb;
+       int usage = 0;
+
+       next_tvb=tvb_new_subset_remaining(tvb, offset);
+       length=tvb_captured_length_remaining(tvb, offset);
+
+       /* RFC6113 :
+        * KEY_USAGE_ENC_CHALLENGE_CLIENT  54
+        * KEY_USAGE_ENC_CHALLENGE_KDC     55
+        */
+       if (kerberos_private_is_kdc_req(private_data)) {
+               usage = KEY_USAGE_ENC_CHALLENGE_CLIENT;
+       } else {
+               usage = KEY_USAGE_ENC_CHALLENGE_KDC;
+       }
+       plaintext=decrypt_krb5_data(tree, actx->pinfo, usage, next_tvb, private_data->etype, NULL);
+
+       if(plaintext){
+               tvbuff_t *child_tvb;
+               child_tvb = tvb_new_child_real_data(tvb, plaintext, length, length);
+
+               /* Add the decrypted data to the data source list. */
+               add_new_data_source(actx->pinfo, child_tvb, "Decrypted Krb5");
+
+               offset=dissect_kerberos_PA_ENC_TS_ENC(FALSE, child_tvb, 0, actx , tree, /* hf_index*/ -1);
+       }
+       return offset;
+}
+#endif
+
+static const int *hf_krb_pa_supported_enctypes_fields[] = {
+       &hf_krb_pa_supported_enctypes_des_cbc_crc,
+       &hf_krb_pa_supported_enctypes_des_cbc_md5,
+       &hf_krb_pa_supported_enctypes_rc4_hmac,
+       &hf_krb_pa_supported_enctypes_aes128_cts_hmac_sha1_96,
+       &hf_krb_pa_supported_enctypes_aes256_cts_hmac_sha1_96,
+       &hf_krb_pa_supported_enctypes_fast_supported,
+       &hf_krb_pa_supported_enctypes_compound_identity_supported,
+       &hf_krb_pa_supported_enctypes_claims_supported,
+       &hf_krb_pa_supported_enctypes_resource_sid_compression_disabled,
+       NULL,
+};
+
+static const true_false_string supported_tfs = {
+       "Supported", "Not supported"
+};
+
+static int
+dissect_kerberos_PA_SUPPORTED_ENCTYPES(gboolean implicit_tag _U_, tvbuff_t *tvb _U_,
+                                      int offset _U_, asn1_ctx_t *actx _U_,
+                                      proto_tree *tree _U_, int hf_index _U_)
+{
+       actx->created_item = proto_tree_add_bitmask(tree, tvb, offset,
+                                                   hf_krb_pa_supported_enctypes,
+                                                   ett_krb_pa_supported_enctypes,
+                                                   hf_krb_pa_supported_enctypes_fields,
+                                                   ENC_LITTLE_ENDIAN);
+       offset += 4;
+
+       return offset;
+}
+
+static const int *hf_krb_ad_ap_options_fields[] = {
+       &hf_krb_ad_ap_options_cbt,
+       NULL,
+};
+
+static const true_false_string set_tfs = {
+       "Set", "Not set"
+};
+
+static int
+dissect_kerberos_AD_AP_OPTIONS(gboolean implicit_tag _U_, tvbuff_t *tvb _U_,
+                              int offset _U_, asn1_ctx_t *actx _U_,
+                              proto_tree *tree _U_, int hf_index _U_)
+{
+       actx->created_item = proto_tree_add_bitmask(tree, tvb, offset,
+                                                   hf_krb_ad_ap_options,
+                                                   ett_krb_ad_ap_options,
+                                                   hf_krb_ad_ap_options_fields,
+                                                   ENC_LITTLE_ENDIAN);
+       offset += 4;
+
+       return offset;
+}
+
+static int
+dissect_kerberos_AD_TARGET_PRINCIPAL(gboolean implicit_tag _U_, tvbuff_t *tvb _U_,
+                                    int offset _U_, asn1_ctx_t *actx _U_,
+                                    proto_tree *tree _U_, int hf_index _U_)
+{
+       int tp_offset, tp_len;
+       const char *tp;
+       guint16 bc;
+
+       bc = tvb_reported_length_remaining(tvb, offset);
+       tp_offset = offset;
+       tp_len = bc;
+       tp = get_unicode_or_ascii_string(tvb, &offset, TRUE, &tp_len, TRUE, TRUE, &bc);
+       proto_tree_add_string(tree, hf_krb_ad_target_principal, tvb, tp_offset, tp_len, tp);
+
+       return offset;
+}
+
+/* Dissect a GSSAPI checksum as per RFC1964. This is NOT ASN.1 encoded.
+ */
+static int
+dissect_krb5_rfc1964_checksum(asn1_ctx_t *actx _U_, proto_tree *tree, tvbuff_t *tvb)
+{
+       int offset=0;
+       guint32 len;
+       guint16 dlglen;
+
+       /* Length of Bnd field */
+       len=tvb_get_letohl(tvb, offset);
+       proto_tree_add_item(tree, hf_krb_gssapi_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
+       offset += 4;
+
+       /* Bnd field */
+       proto_tree_add_item(tree, hf_krb_gssapi_bnd, tvb, offset, len, ENC_NA);
+       offset += len;
+
+
+       /* flags */
+       proto_tree_add_item(tree, hf_krb_gssapi_c_flag_dce_style, tvb, offset, 4, ENC_LITTLE_ENDIAN);
+       proto_tree_add_item(tree, hf_krb_gssapi_c_flag_integ, tvb, offset, 4, ENC_LITTLE_ENDIAN);
+       proto_tree_add_item(tree, hf_krb_gssapi_c_flag_conf, tvb, offset, 4, ENC_LITTLE_ENDIAN);
+       proto_tree_add_item(tree, hf_krb_gssapi_c_flag_sequence, tvb, offset, 4, ENC_LITTLE_ENDIAN);
+       proto_tree_add_item(tree, hf_krb_gssapi_c_flag_replay, tvb, offset, 4, ENC_LITTLE_ENDIAN);
+       proto_tree_add_item(tree, hf_krb_gssapi_c_flag_mutual, tvb, offset, 4, ENC_LITTLE_ENDIAN);
+       proto_tree_add_item(tree, hf_krb_gssapi_c_flag_deleg, tvb, offset, 4, ENC_LITTLE_ENDIAN);
+       offset += 4;
+
+       /* the next fields are optional so we have to check that we have
+        * more data in our buffers */
+       if(tvb_reported_length_remaining(tvb, offset)<2){
+               return offset;
+       }
+       /* dlgopt identifier */
+       proto_tree_add_item(tree, hf_krb_gssapi_dlgopt, tvb, offset, 2, ENC_LITTLE_ENDIAN);
+       offset += 2;
+
+       if(tvb_reported_length_remaining(tvb, offset)<2){
+               return offset;
+       }
+       /* dlglen identifier */
+       dlglen=tvb_get_letohs(tvb, offset);
+       proto_tree_add_item(tree, hf_krb_gssapi_dlglen, tvb, offset, 2, ENC_LITTLE_ENDIAN);
+       offset += 2;
+
+       if(dlglen!=tvb_reported_length_remaining(tvb, offset)){
+               proto_tree_add_expert_format(tree, actx->pinfo, &ei_krb_gssapi_dlglen, tvb, 0, 0,
+                               "Error: DlgLen:%d is not the same as number of bytes remaining:%d", dlglen, tvb_captured_length_remaining(tvb, offset));
+               return offset;
+       }
+
+       /* this should now be a KRB_CRED message */
+       offset=dissect_kerberos_Applications(FALSE, tvb, offset, actx, tree, /* hf_index */ -1);
+
+       return offset;
+}
+
+static int
+dissect_krb5_PA_PROV_SRV_LOCATION(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_)
+{
+       offset=dissect_ber_GeneralString(actx, tree, tvb, offset, hf_krb_provsrv_location, NULL, 0);
+
+       return offset;
+}
+
+static int
+dissect_krb5_PW_SALT(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_)
+{
+       kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
+       gint remaining = tvb_reported_length_remaining(tvb, offset);
+       guint32 nt_status = 0;
+       guint32 val_0 = 0;
+       guint32 val_1 = 0;
+
+       if (private_data->errorcode == 0) {
+               goto no_error;
+       }
+
+       if (!private_data->try_nt_status) {
+               goto no_error;
+       }
+
+       if (remaining != 12) {
+               goto no_error;
+       }
+
+       nt_status=tvb_get_letohl(tvb, offset);
+       val_0=tvb_get_letohl(tvb, offset + 4);
+       val_1=tvb_get_letohl(tvb, offset + 8);
+
+       if (val_0 != 0 || val_1 != 1) {
+               goto no_error;
+       }
 
        /* Microsoft stores a special 12 byte blob here
         * guint32 NT_status
-        * guint32 unknown
-        * guint32 unknown
-        * decode everything as this blob for now until we see if anyone
-        * else ever uses it   or we learn how to tell whether this
-        * is such an MS blob or not.
+        * guint32 unknown (== 0)
+        * guint32 unknown (== 1)
         */
        proto_tree_add_item(tree, hf_krb_smb_nt_status, tvb, offset, 4,
                        ENC_LITTLE_ENDIAN);
@@ -1865,6 +2478,9 @@ dissect_krb5_PW_SALT(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U
        offset += 4;
 
        return offset;
+
+ no_error:
+       return offset + remaining;
 }
 
 static int
@@ -1951,6 +2567,61 @@ dissect_krb5_PAC_LOGON_INFO(proto_tree *parent_tree, tvbuff_t *tvb, int offset,
        return offset;
 }
 
+
+static int
+dissect_krb5_PAC_CREDENTIAL_DATA(proto_tree *parent_tree, tvbuff_t *tvb, int offset, packet_info *pinfo _U_)
+{
+       proto_tree_add_item(parent_tree, hf_krb_pac_credential_data, tvb, offset, -1, ENC_NA);
+
+       return offset;
+}
+
+static int
+dissect_krb5_PAC_CREDENTIAL_INFO(proto_tree *parent_tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx)
+{
+       proto_item *item;
+       proto_tree *tree;
+       guint32 etype;
+       guint8 *plaintext = NULL;
+       int plainlen = 0;
+       int length;
+       tvbuff_t *next_tvb;
+#define KRB5_KU_OTHER_ENCRYPTED 16
+       int usage = KRB5_KU_OTHER_ENCRYPTED;
+
+       item = proto_tree_add_item(parent_tree, hf_krb_pac_credential_info, tvb, offset, -1, ENC_NA);
+       tree = proto_item_add_subtree(item, ett_krb_pac_credential_info);
+
+       /* version */
+       proto_tree_add_item(tree, hf_krb_pac_credential_info_version, tvb,
+                           offset, 4, ENC_LITTLE_ENDIAN);
+       offset+=4;
+
+       /* etype */
+       etype = tvb_get_letohl(tvb, offset);
+       proto_tree_add_item(tree, hf_krb_pac_credential_info_etype, tvb,
+                           offset, 4, ENC_LITTLE_ENDIAN);
+       offset+=4;
+
+       /* data */
+       next_tvb=tvb_new_subset_remaining(tvb, offset);
+       length=tvb_captured_length_remaining(tvb, offset);
+
+       plaintext=decrypt_krb5_data(tree, actx->pinfo, usage, next_tvb, (int)etype, &plainlen);
+
+       if (plaintext != NULL) {
+               tvbuff_t *child_tvb;
+               child_tvb = tvb_new_child_real_data(tvb, plaintext, plainlen, plainlen);
+
+               /* Add the decrypted data to the data source list. */
+               add_new_data_source(actx->pinfo, child_tvb, "Decrypted Krb5");
+
+               dissect_krb5_PAC_CREDENTIAL_DATA(tree, child_tvb, 0, actx->pinfo);
+       }
+
+       return offset + length;
+}
+
 static int
 dissect_krb5_PAC_S4U_DELEGATION_INFO(proto_tree *parent_tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx)
 {
@@ -2033,9 +2704,25 @@ dissect_krb5_PAC_UPN_DNS_INFO(proto_tree *parent_tree, tvbuff_t *tvb, int offset
 }
 
 static int
-dissect_krb5_PAC_CREDENTIAL_TYPE(proto_tree *parent_tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
+dissect_krb5_PAC_CLIENT_CLAIMS_INFO(proto_tree *parent_tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
+{
+       proto_tree_add_item(parent_tree, hf_krb_pac_client_claims_info, tvb, offset, -1, ENC_NA);
+
+       return offset;
+}
+
+static int
+dissect_krb5_PAC_DEVICE_INFO(proto_tree *parent_tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
+{
+       proto_tree_add_item(parent_tree, hf_krb_pac_device_info, tvb, offset, -1, ENC_NA);
+
+       return offset;
+}
+
+static int
+dissect_krb5_PAC_DEVICE_CLAIMS_INFO(proto_tree *parent_tree, tvbuff_t *tvb, int offset, asn1_ctx_t *actx _U_)
 {
-       proto_tree_add_item(parent_tree, hf_krb_pac_credential_type, tvb, offset, -1, ENC_NA);
+       proto_tree_add_item(parent_tree, hf_krb_pac_device_claims_info, tvb, offset, -1, ENC_NA);
 
        return offset;
 }
@@ -2136,7 +2823,7 @@ dissect_krb5_AD_WIN2K_PAC_struct(proto_tree *tree, tvbuff_t *tvb, int offset, as
                dissect_krb5_PAC_LOGON_INFO(tr, next_tvb, 0, actx);
                break;
        case PAC_CREDENTIAL_TYPE:
-               dissect_krb5_PAC_CREDENTIAL_TYPE(tr, next_tvb, 0, actx);
+               dissect_krb5_PAC_CREDENTIAL_INFO(tr, next_tvb, 0, actx);
                break;
        case PAC_SERVER_CHECKSUM:
                dissect_krb5_PAC_SERVER_CHECKSUM(tr, next_tvb, 0, actx);
@@ -2153,6 +2840,15 @@ dissect_krb5_AD_WIN2K_PAC_struct(proto_tree *tree, tvbuff_t *tvb, int offset, as
        case PAC_UPN_DNS_INFO:
                dissect_krb5_PAC_UPN_DNS_INFO(tr, next_tvb, 0, actx);
                break;
+       case PAC_CLIENT_CLAIMS_INFO:
+               dissect_krb5_PAC_CLIENT_CLAIMS_INFO(tr, next_tvb, 0, actx);
+               break;
+       case PAC_DEVICE_INFO:
+               dissect_krb5_PAC_DEVICE_INFO(tr, next_tvb, 0, actx);
+               break;
+       case PAC_DEVICE_CLAIMS_INFO:
+               dissect_krb5_PAC_DEVICE_CLAIMS_INFO(tr, next_tvb, 0, actx);
+               break;
 
        default:
                break;
@@ -2167,6 +2863,10 @@ dissect_krb5_AD_WIN2K_PAC(gboolean implicit_tag _U_, tvbuff_t *tvb, int offset,
        guint32 version;
        guint32 i;
 
+#ifdef HAVE_KERBEROS
+       verify_krb5_pac(tree, actx, tvb);
+#endif
+
        /* first in the PAC structure comes the number of entries */
        entries=tvb_get_letohl(tvb, offset);
        proto_tree_add_uint(tree, hf_krb_w2k_pac_entries, tvb, offset, 4, entries);
@@ -2330,7 +3030,7 @@ static const value_string kerberos_ENCTYPE_vals[] = {
 
 static int
 dissect_kerberos_ENCTYPE(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 252 "./asn1/kerberos/kerberos.cnf"
+#line 300 "./asn1/kerberos/kerberos.cnf"
        kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
   offset = dissect_ber_integer(implicit_tag, actx, tree, tvb, offset, hf_index,
                                                 &(private_data->etype));
@@ -2355,7 +3055,7 @@ dissect_kerberos_UInt32(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset
 
 static int
 dissect_kerberos_T_encryptedTicketData_cipher(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 256 "./asn1/kerberos/kerberos.cnf"
+#line 304 "./asn1/kerberos/kerberos.cnf"
 #ifdef HAVE_KERBEROS
        offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_index, dissect_krb5_decrypt_ticket_data);
 #else
@@ -2483,7 +3183,7 @@ static const value_string kerberos_CKSUMTYPE_vals[] = {
 
 static int
 dissect_kerberos_CKSUMTYPE(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 313 "./asn1/kerberos/kerberos.cnf"
+#line 369 "./asn1/kerberos/kerberos.cnf"
        kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
   offset = dissect_ber_integer(implicit_tag, actx, tree, tvb, offset, hf_index,
                                                 &(private_data->checksum_type));
@@ -2498,7 +3198,7 @@ dissect_kerberos_CKSUMTYPE(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int off
 
 static int
 dissect_kerberos_T_checksum(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 317 "./asn1/kerberos/kerberos.cnf"
+#line 373 "./asn1/kerberos/kerberos.cnf"
        tvbuff_t *next_tvb;
        kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
 
@@ -2509,6 +3209,7 @@ dissect_kerberos_T_checksum(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int of
                break;
        default:
                offset=dissect_ber_octet_string(FALSE, actx, tree, tvb, offset, hf_index, NULL);
+               break;
        }
        return offset;
 
@@ -2565,7 +3266,7 @@ dissect_kerberos_Int32(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset
 
 static int
 dissect_kerberos_T_keytype(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 331 "./asn1/kerberos/kerberos.cnf"
+#line 388 "./asn1/kerberos/kerberos.cnf"
        kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
 
        offset = dissect_ber_integer(implicit_tag, actx, tree, tvb, offset, hf_index,
@@ -2581,7 +3282,7 @@ dissect_kerberos_T_keytype(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int off
 
 static int
 dissect_kerberos_T_keyvalue(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 338 "./asn1/kerberos/kerberos.cnf"
+#line 395 "./asn1/kerberos/kerberos.cnf"
        tvbuff_t *out_tvb;
        kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
 
@@ -2606,7 +3307,7 @@ static const ber_sequence_t EncryptionKey_sequence[] = {
 
 static int
 dissect_kerberos_EncryptionKey(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 347 "./asn1/kerberos/kerberos.cnf"
+#line 404 "./asn1/kerberos/kerberos.cnf"
        kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
 
          offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
@@ -2616,6 +3317,23 @@ dissect_kerberos_EncryptionKey(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int
        if (private_data->key.keytype != 0 && private_data->key.keylength > 0) {
 #ifdef HAVE_KERBEROS
                add_encryption_key(actx->pinfo, private_data->key.keytype, private_data->key.keylength, private_data->key.keyvalue, "key");
+#if defined(HAVE_HEIMDAL_KERBEROS) || defined(HAVE_MIT_KERBEROS)
+               if (private_data->fast_armor_within_enc_ticket_part &&
+                   private_data->fast_armor_ticket_sessionkey == NULL)
+               {
+                       private_data->fast_armor_ticket_sessionkey = enc_key_list;
+               }
+               if (private_data->fast_armor_within_authenticator &&
+                   private_data->fast_armor_remote_subkey == NULL)
+               {
+                       private_data->fast_armor_remote_subkey = enc_key_list;
+               }
+               if (private_data->fast_strengthen_key_needed)
+               {
+                       private_data->fast_strengthen_key = enc_key_list;
+                       private_data->fast_strengthen_key_needed = FALSE;
+               }
+#endif
 #endif
        }
 
@@ -2625,13 +3343,42 @@ dissect_kerberos_EncryptionKey(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int
 }
 
 
+static const value_string kerberos_AUTHDATA_TYPE_vals[] = {
+  { KERBEROS_AD_IF_RELEVANT, "AD-IF-RELEVANT" },
+  { KERBEROS_AD_INTENDED_FOR_SERVER, "AD-INTENDED-FOR-SERVER" },
+  { KERBEROS_AD_INTENDED_FOR_APPLICATION_CLASS, "AD-INTENDED-FOR-APPLICATION-CLASS" },
+  { KERBEROS_AD_KDC_ISSUED, "AD-KDC-ISSUED" },
+  { KERBEROS_AD_AND_OR, "AD-AND-OR" },
+  { KERBEROS_AD_MANDATORY_TICKET_EXTENSIONS, "AD-MANDATORY-TICKET-EXTENSIONS" },
+  { KERBEROS_AD_IN_TICKET_EXTENSIONS, "AD-IN-TICKET-EXTENSIONS" },
+  { KERBEROS_AD_MANDATORY_FOR_KDC, "AD-MANDATORY-FOR-KDC" },
+  { KERBEROS_AD_INITIAL_VERIFIED_CAS, "AD-INITIAL-VERIFIED-CAS" },
+  { KERBEROS_AD_OSF_DCE, "AD-OSF-DCE" },
+  { KERBEROS_AD_SESAME, "AD-SESAME" },
+  { KERBEROS_AD_OSF_DCE_PKI_CERTID, "AD-OSF-DCE-PKI-CERTID" },
+  { KERBEROS_AD_AUTHENTICATION_STRENGTH, "AD-authentication-strength" },
+  { KERBEROS_AD_FX_FAST_ARMOR, "AD-fx-fast-armor" },
+  { KERBEROS_AD_FX_FAST_USED, "AD-fx-fast-used" },
+  { KERBEROS_AD_WIN2K_PAC, "AD-WIN2K-PAC" },
+  { KERBEROS_AD_GSS_API_ETYPE_NEGOTIATION, "AD-GSS-API-ETYPE-NEGOTIATION" },
+  { KERBEROS_AD_TOKEN_RESTRICTIONS, "AD-TOKEN-RESTRICTIONS" },
+  { KERBEROS_AD_LOCAL, "AD-LOCAL" },
+  { KERBEROS_AD_AP_OPTIONS, "AD-AP-OPTIONS" },
+  { KERBEROS_AD_TARGET_PRINCIPAL, "AD-TARGET-PRINCIPAL" },
+  { KERBEROS_AD_SIGNTICKET_OLDER, "AD-SIGNTICKET-OLDER" },
+  { KERBEROS_AD_SIGNTICKET, "AD-SIGNTICKET" },
+  { 0, NULL }
+};
+
 
 static int
-dissect_kerberos_T_ad_type(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 358 "./asn1/kerberos/kerberos.cnf"
+dissect_kerberos_AUTHDATA_TYPE(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
+#line 444 "./asn1/kerberos/kerberos.cnf"
        kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
-       offset = dissect_ber_integer(implicit_tag, actx, tree, tvb, offset, hf_index,
-                                                                       &(private_data->ad_type));
+  offset = dissect_ber_integer(implicit_tag, actx, tree, tvb, offset, hf_index,
+                                                &(private_data->ad_type));
+
+
 
 
   return offset;
@@ -2641,18 +3388,34 @@ dissect_kerberos_T_ad_type(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int off
 
 static int
 dissect_kerberos_T_ad_data(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 365 "./asn1/kerberos/kerberos.cnf"
+#line 448 "./asn1/kerberos/kerberos.cnf"
        kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
 
        switch(private_data->ad_type){
-       case KRB5_AD_WIN2K_PAC:
+       case KERBEROS_AD_WIN2K_PAC:
                offset=dissect_ber_octet_string_wcb(implicit_tag, actx, tree, tvb, offset, hf_index, dissect_krb5_AD_WIN2K_PAC);
                break;
-       case KRB5_AD_IF_RELEVANT:
+       case KERBEROS_AD_IF_RELEVANT:
                offset=dissect_ber_octet_string_wcb(implicit_tag, actx, tree, tvb, offset, hf_index, dissect_kerberos_AD_IF_RELEVANT);
                break;
+       case KERBEROS_AD_TOKEN_RESTRICTIONS:
+               offset=dissect_ber_octet_string_wcb(implicit_tag, actx, tree, tvb, offset, hf_index, dissect_kerberos_KERB_AD_RESTRICTION_ENTRY);
+               break;
+       case KERBEROS_AD_GSS_API_ETYPE_NEGOTIATION:
+               offset=dissect_ber_octet_string_wcb(implicit_tag, actx, tree, tvb, offset, hf_index, dissect_kerberos_SEQUENCE_OF_ENCTYPE);
+               break;
+       case KERBEROS_AD_AP_OPTIONS:
+               offset=dissect_ber_octet_string_wcb(implicit_tag, actx, tree, tvb, offset, hf_index, dissect_kerberos_AD_AP_OPTIONS);
+               break;
+       case KERBEROS_AD_TARGET_PRINCIPAL:
+               offset=dissect_ber_octet_string_wcb(implicit_tag, actx, tree, tvb, offset, hf_index, dissect_kerberos_AD_TARGET_PRINCIPAL);
+               break;
+       case KERBEROS_AD_AUTHENTICATION_STRENGTH:
+               offset=dissect_ber_octet_string_wcb(implicit_tag, actx, tree, tvb, offset, hf_index, dissect_kerberos_PA_AUTHENTICATION_SET_ELEM);
+               break;
        default:
                offset=dissect_ber_octet_string(implicit_tag, actx, tree, tvb, offset, hf_index, NULL);
+               break;
        }
 
 
@@ -2662,7 +3425,7 @@ dissect_kerberos_T_ad_data(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int off
 
 
 static const ber_sequence_t AuthorizationData_item_sequence[] = {
-  { &hf_kerberos_ad_type    , BER_CLASS_CON, 0, 0, dissect_kerberos_T_ad_type },
+  { &hf_kerberos_ad_type    , BER_CLASS_CON, 0, 0, dissect_kerberos_AUTHDATA_TYPE },
   { &hf_kerberos_ad_data    , BER_CLASS_CON, 1, 0, dissect_kerberos_T_ad_data },
   { NULL, 0, 0, 0, NULL }
 };
@@ -2714,9 +3477,16 @@ dissect_kerberos_Authenticator_U(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, i
 
 static int
 dissect_kerberos_Authenticator(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
+#line 432 "./asn1/kerberos/kerberos.cnf"
+       kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
+       private_data->fast_armor_within_authenticator = TRUE;
   offset = dissect_ber_tagged_type(implicit_tag, actx, tree, tvb, offset,
                                       hf_index, BER_CLASS_APP, 2, FALSE, dissect_kerberos_Authenticator_U);
 
+       private_data->fast_armor_within_authenticator = FALSE;
+
+
+
   return offset;
 }
 
@@ -2792,7 +3562,7 @@ static const value_string kerberos_ADDR_TYPE_vals[] = {
 
 static int
 dissect_kerberos_ADDR_TYPE(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 382 "./asn1/kerberos/kerberos.cnf"
+#line 481 "./asn1/kerberos/kerberos.cnf"
        kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
   offset = dissect_ber_integer(implicit_tag, actx, tree, tvb, offset, hf_index,
                                                 &(private_data->addr_type));
@@ -2807,7 +3577,7 @@ dissect_kerberos_ADDR_TYPE(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int off
 
 static int
 dissect_kerberos_T_address(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 201 "./asn1/kerberos/kerberos.cnf"
+#line 248 "./asn1/kerberos/kerberos.cnf"
        gint8 appclass;
        gboolean pc;
        gint32 tag;
@@ -2843,6 +3613,7 @@ dissect_kerberos_T_address(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int off
        default:
                proto_tree_add_expert(tree, actx->pinfo, &ei_kerberos_address, tvb, offset, len);
                address_str = NULL;
+               break;
        }
 
        /* push it up two levels in the decode pane */
@@ -2916,9 +3687,16 @@ dissect_kerberos_EncTicketPart_U(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, i
 
 static int
 dissect_kerberos_EncTicketPart(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
+#line 438 "./asn1/kerberos/kerberos.cnf"
+       kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
+       private_data->fast_armor_within_enc_ticket_part = TRUE;
   offset = dissect_ber_tagged_type(implicit_tag, actx, tree, tvb, offset,
                                       hf_index, BER_CLASS_APP, 3, FALSE, dissect_kerberos_EncTicketPart_U);
 
+       private_data->fast_armor_within_enc_ticket_part = FALSE;
+
+
+
   return offset;
 }
 
@@ -2940,8 +3718,9 @@ static const value_string kerberos_MESSAGE_TYPE_vals[] = {
 
 static int
 dissect_kerberos_MESSAGE_TYPE(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 73 "./asn1/kerberos/kerberos.cnf"
-guint32 msgtype;
+#line 86 "./asn1/kerberos/kerberos.cnf"
+       kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
+       guint32 msgtype;
 
   offset = dissect_ber_integer(implicit_tag, actx, tree, tvb, offset, hf_index,
                                                 &msgtype);
@@ -2949,7 +3728,7 @@ guint32 msgtype;
 
 
 
-#line 78 "./asn1/kerberos/kerberos.cnf"
+#line 92 "./asn1/kerberos/kerberos.cnf"
        if (gbl_do_col_info) {
                col_add_str(actx->pinfo->cinfo, COL_INFO,
                        val_to_str(msgtype, krb5_msg_types,
@@ -2961,6 +3740,9 @@ guint32 msgtype;
        /* append the application type to the tree */
        proto_item_append_text(tree, " %s", val_to_str(msgtype, krb5_msg_types, "Unknown:0x%x"));
 #endif
+       if (private_data->msg_type == 0) {
+               private_data->msg_type = msgtype;
+       }
 
 
   return offset;
@@ -2968,79 +3750,88 @@ guint32 msgtype;
 
 
 static const value_string kerberos_PADATA_TYPE_vals[] = {
-  {   0, "kRB5-PADATA-NONE" },
-  {   1, "kRB5-PADATA-TGS-REQ" },
-  {   2, "kRB5-PADATA-ENC-TIMESTAMP" },
-  {   3, "kRB5-PADATA-PW-SALT" },
-  {   5, "kRB5-PADATA-ENC-UNIX-TIME" },
-  {   6, "kRB5-PADATA-SANDIA-SECUREID" },
-  {   7, "kRB5-PADATA-SESAME" },
-  {   8, "kRB5-PADATA-OSF-DCE" },
-  {   9, "kRB5-PADATA-CYBERSAFE-SECUREID" },
-  {  10, "kRB5-PADATA-AFS3-SALT" },
-  {  11, "kRB5-PADATA-ETYPE-INFO" },
-  {  12, "kRB5-PADATA-SAM-CHALLENGE" },
-  {  13, "kRB5-PADATA-SAM-RESPONSE" },
-  {  14, "kRB5-PADATA-PK-AS-REQ-19" },
-  {  15, "kRB5-PADATA-PK-AS-REP-19" },
-  {  16, "kRB5-PADATA-PK-AS-REQ" },
-  {  17, "kRB5-PADATA-PK-AS-REP" },
-  {  18, "kRB5-PADATA-PA-PK-OCSP-RESPONSE" },
-  {  19, "kRB5-PADATA-ETYPE-INFO2" },
-  {  20, "kRB5-PADATA-USE-SPECIFIED-KVNO" },
-  {  21, "kRB5-PADATA-SAM-REDIRECT" },
-  {  22, "kRB5-PADATA-GET-FROM-TYPED-DATA" },
-  {  23, "kRB5-PADATA-SAM-ETYPE-INFO" },
-  {  25, "kRB5-PADATA-SERVER-REFERRAL" },
-  {  24, "kRB5-PADATA-ALT-PRINC" },
-  {  30, "kRB5-PADATA-SAM-CHALLENGE2" },
-  {  31, "kRB5-PADATA-SAM-RESPONSE2" },
-  {  41, "kRB5-PA-EXTRA-TGT" },
-  {  71, "kRB5-PADATA-FX-FAST-ARMOR" },
-  { 102, "kRB5-PADATA-TD-KRB-PRINCIPAL" },
-  { 104, "kRB5-PADATA-PK-TD-TRUSTED-CERTIFIERS" },
-  { 105, "kRB5-PADATA-PK-TD-CERTIFICATE-INDEX" },
-  { 106, "kRB5-PADATA-TD-APP-DEFINED-ERROR" },
-  { 107, "kRB5-PADATA-TD-REQ-NONCE" },
-  { 108, "kRB5-PADATA-TD-REQ-SEQ" },
-  { 128, "kRB5-PADATA-PA-PAC-REQUEST" },
-  { 129, "kRB5-PADATA-FOR-USER" },
-  { 130, "kRB5-PADATA-FOR-X509-USER" },
-  { 131, "kRB5-PADATA-FOR-CHECK-DUPS" },
-  { 132, "kRB5-PADATA-PK-AS-09-BINDING" },
-  { 133, "kRB5-PADATA-FX-COOKIE" },
-  { 134, "kRB5-PADATA-AUTHENTICATION-SET" },
-  { 135, "kRB5-PADATA-AUTH-SET-SELECTED" },
-  { 136, "kRB5-PADATA-FX-FAST" },
-  { 137, "kRB5-PADATA-FX-ERROR" },
-  { 138, "kRB5-PADATA-ENCRYPTED-CHALLENGE" },
-  { 141, "kRB5-PADATA-OTP-CHALLENGE" },
-  { 142, "kRB5-PADATA-OTP-REQUEST" },
-  { 143, "kBB5-PADATA-OTP-CONFIRM" },
-  { 144, "kRB5-PADATA-OTP-PIN-CHANGE" },
-  { 145, "kRB5-PADATA-EPAK-AS-REQ" },
-  { 146, "kRB5-PADATA-EPAK-AS-REP" },
-  { 147, "kRB5-PADATA-PKINIT-KX" },
-  { 148, "kRB5-PADATA-PKU2U-NAME" },
-  { 149, "kRB5-PADATA-REQ-ENC-PA-REP" },
-  { 165, "kRB5-PADATA-SUPPORTED-ETYPES" },
+  { KERBEROS_PA_NONE, "PA-NONE" },
+  { KERBEROS_PA_TGS_REQ, "PA-TGS-REQ" },
+  { KERBEROS_PA_ENC_TIMESTAMP, "PA-ENC-TIMESTAMP" },
+  { KERBEROS_PA_PW_SALT, "PA-PW-SALT" },
+  { KERBEROS_PA_ENC_UNIX_TIME, "PA-ENC-UNIX-TIME" },
+  { KERBEROS_PA_SANDIA_SECUREID, "PA-SANDIA-SECUREID" },
+  { KERBEROS_PA_SESAME, "PA-SESAME" },
+  { KERBEROS_PA_OSF_DCE, "PA-OSF-DCE" },
+  { KERBEROS_PA_CYBERSAFE_SECUREID, "PA-CYBERSAFE-SECUREID" },
+  { KERBEROS_PA_AFS3_SALT, "PA-AFS3-SALT" },
+  { KERBEROS_PA_ETYPE_INFO, "PA-ETYPE-INFO" },
+  { KERBEROS_PA_SAM_CHALLENGE, "PA-SAM-CHALLENGE" },
+  { KERBEROS_PA_SAM_RESPONSE, "PA-SAM-RESPONSE" },
+  { KERBEROS_PA_PK_AS_REQ_OLD, "PA-PK-AS-REQ-OLD" },
+  { KERBEROS_PA_PK_AS_REP_OLD, "PA-PK-AS-REP-OLD" },
+  { KERBEROS_PA_PK_AS_REQ, "PA-PK-AS-REQ" },
+  { KERBEROS_PA_PK_AS_REP, "PA-PK-AS-REP" },
+  { KERBEROS_PA_PK_OCSP_RESPONSE, "PA-PK-OCSP-RESPONSE" },
+  { KERBEROS_PA_ETYPE_INFO2, "PA-ETYPE-INFO2" },
+  { KERBEROS_PA_USE_SPECIFIED_KVNO, "PA-USE-SPECIFIED-KVNO" },
+  { KERBEROS_PA_SVR_REFERRAL_INFO, "PA-SVR-REFERRAL-INFO" },
+  { KERBEROS_PA_SAM_REDIRECT, "PA-SAM-REDIRECT" },
+  { KERBEROS_PA_GET_FROM_TYPED_DATA, "PA-GET-FROM-TYPED-DATA" },
+  { KERBEROS_TD_PADATA, "TD-PADATA" },
+  { KERBEROS_PA_SAM_ETYPE_INFO, "PA-SAM-ETYPE-INFO" },
+  { KERBEROS_PA_ALT_PRINC, "PA-ALT-PRINC" },
+  { KERBEROS_PA_SERVER_REFERRAL, "PA-SERVER-REFERRAL" },
+  { KERBEROS_PA_SAM_CHALLENGE2, "PA-SAM-CHALLENGE2" },
+  { KERBEROS_PA_SAM_RESPONSE2, "PA-SAM-RESPONSE2" },
+  { KERBEROS_PA_EXTRA_TGT, "PA-EXTRA-TGT" },
+  { KERBEROS_TD_PKINIT_CMS_CERTIFICATES, "TD-PKINIT-CMS-CERTIFICATES" },
+  { KERBEROS_TD_KRB_PRINCIPAL, "TD-KRB-PRINCIPAL" },
+  { KERBEROS_TD_KRB_REALM, "TD-KRB-REALM" },
+  { KERBEROS_TD_TRUSTED_CERTIFIERS, "TD-TRUSTED-CERTIFIERS" },
+  { KERBEROS_TD_CERTIFICATE_INDEX, "TD-CERTIFICATE-INDEX" },
+  { KERBEROS_TD_APP_DEFINED_ERROR, "TD-APP-DEFINED-ERROR" },
+  { KERBEROS_TD_REQ_NONCE, "TD-REQ-NONCE" },
+  { KERBEROS_TD_REQ_SEQ, "TD-REQ-SEQ" },
+  { KERBEROS_TD_DH_PARAMETERS, "TD-DH-PARAMETERS" },
+  { KERBEROS_TD_CMS_DIGEST_ALGORITHMS, "TD-CMS-DIGEST-ALGORITHMS" },
+  { KERBEROS_TD_CERT_DIGEST_ALGORITHMS, "TD-CERT-DIGEST-ALGORITHMS" },
+  { KERBEROS_PA_PAC_REQUEST, "PA-PAC-REQUEST" },
+  { KERBEROS_PA_FOR_USER, "PA-FOR-USER" },
+  { KERBEROS_PA_FOR_X509_USER, "PA-FOR-X509-USER" },
+  { KERBEROS_PA_FOR_CHECK_DUPS, "PA-FOR-CHECK-DUPS" },
+  { KERBEROS_PA_AS_CHECKSUM, "PA-AS-CHECKSUM" },
+  { KERBEROS_PA_FX_COOKIE, "PA-FX-COOKIE" },
+  { KERBEROS_PA_AUTHENTICATION_SET, "PA-AUTHENTICATION-SET" },
+  { KERBEROS_PA_AUTH_SET_SELECTED, "PA-AUTH-SET-SELECTED" },
+  { KERBEROS_PA_FX_FAST, "PA-FX-FAST" },
+  { KERBEROS_PA_FX_ERROR, "PA-FX-ERROR" },
+  { KERBEROS_PA_ENCRYPTED_CHALLENGE, "PA-ENCRYPTED-CHALLENGE" },
+  { KERBEROS_PA_OTP_CHALLENGE, "PA-OTP-CHALLENGE" },
+  { KERBEROS_PA_OTP_REQUEST, "PA-OTP-REQUEST" },
+  { KERBEROS_PA_OTP_CONFIRM, "PA-OTP-CONFIRM" },
+  { KERBEROS_PA_OTP_PIN_CHANGE, "PA-OTP-PIN-CHANGE" },
+  { KERBEROS_PA_EPAK_AS_REQ, "PA-EPAK-AS-REQ" },
+  { KERBEROS_PA_EPAK_AS_REP, "PA-EPAK-AS-REP" },
+  { KERBEROS_PA_PKINIT_KX, "PA-PKINIT-KX" },
+  { KERBEROS_PA_PKU2U_NAME, "PA-PKU2U-NAME" },
+  { KERBEROS_PA_REQ_ENC_PA_REP, "PA-REQ-ENC-PA-REP" },
+  { KERBEROS_PA_SUPPORTED_ETYPES, "PA-SUPPORTED-ETYPES" },
+  { KERBEROS_PA_EXTENDED_ERROR, "PA-EXTENDED-ERROR" },
+  { KERBEROS_PA_PAC_OPTIONS, "PA-PAC-OPTIONS" },
+  { KERBEROS_PA_PROV_SRV_LOCATION, "PA-PROV-SRV-LOCATION" },
   { 0, NULL }
 };
 
 
 static int
 dissect_kerberos_PADATA_TYPE(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 126 "./asn1/kerberos/kerberos.cnf"
+#line 152 "./asn1/kerberos/kerberos.cnf"
        kerberos_private_data_t* private_data = kerberos_get_private_data(actx);
   offset = dissect_ber_integer(implicit_tag, actx, tree, tvb, offset, hf_index,
                                                 &(private_data->padata_type));
 
 
 
-#line 129 "./asn1/kerberos/kerberos.cnf"
+#line 155 "./asn1/kerberos/kerberos.cnf"
        if(tree){
                proto_item_append_text(tree, " %s",
-                       val_to_str(private_data->padata_type, krb5_preauthentication_types,
+                       val_to_str(private_data->padata_type, kerberos_PADATA_TYPE_vals,
                        "Unknown:%d"));
        }
 
@@ -3052,7 +3843,7 @@ dissect_kerberos_PADATA_TYPE(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int o
 
 static int
 dissect_kerberos_T_padata_value(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 136 "./asn1/kerberos/kerberos.cnf"
+#line 162 "./asn1/kerberos/kerberos.cnf"
        proto_tree *sub_tree=tree;
        kerberos_private_data_t* private_data = kerberos_get_private_data(actx);
 
@@ -3061,22 +3852,30 @@ dissect_kerberos_T_padata_value(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, in
        }
 
        switch(private_data->padata_type){
-       case KRB5_PA_TGS_REQ:
+       case KERBEROS_PA_TGS_REQ:
                offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_Applications);
                break;
-       case KRB5_PA_PK_AS_REQ:
+       case KERBEROS_PA_PK_AS_REP_OLD:
+               private_data->is_win2k_pkinit = TRUE;
+               if (kerberos_private_is_kdc_req(private_data)) {
+                       offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_pkinit_PA_PK_AS_REQ_Win2k);
+               } else {
+                       offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_pkinit_PA_PK_AS_REP_Win2k);
+               }
+               break;
+       case KERBEROS_PA_PK_AS_REQ:
                offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_pkinit_PaPkAsReq);
                break;
-       case KRB5_PA_PK_AS_REP:
+       case KERBEROS_PA_PK_AS_REP:
                offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_pkinit_PaPkAsRep);
                break;
-       case KRB5_PA_PAC_REQUEST:
-               offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_KERB_PA_PAC_REQUEST);
+       case KERBEROS_PA_PAC_REQUEST:
+               offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_PA_PAC_REQUEST);
                break;
-       case KRB5_PA_S4U2SELF:
+       case KERBEROS_PA_FOR_USER: /* S4U2SELF */
                offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_PA_S4U2Self);
                break;
-       case KRB5_PADATA_S4U_X509_USER:
+       case KERBEROS_PA_FOR_X509_USER:
                if(private_data->msg_type == KRB5_MSG_AS_REQ){
                        offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_x509af_Certificate);
                }else if(private_data->is_enc_padata){
@@ -3085,36 +3884,49 @@ dissect_kerberos_T_padata_value(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, in
                        offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_PA_S4U_X509_USER);
                }
                break;
-       case KRB5_PA_PROV_SRV_LOCATION:
+       case KERBEROS_PA_PROV_SRV_LOCATION:
                offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_krb5_PA_PROV_SRV_LOCATION);
                break;
-       case KRB5_PA_ENC_TIMESTAMP:
+       case KERBEROS_PA_ENC_TIMESTAMP:
                offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_PA_ENC_TIMESTAMP);
                break;
-       case KRB5_PA_ENCTYPE_INFO:
+       case KERBEROS_PA_ETYPE_INFO:
                offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_ETYPE_INFO);
                break;
-       case KRB5_PA_ENCTYPE_INFO2:
+       case KERBEROS_PA_ETYPE_INFO2:
                offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_ETYPE_INFO2);
                break;
-       case KRB5_PA_PW_SALT:
+       case KERBEROS_PA_PW_SALT:
                offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_krb5_PW_SALT);
                break;
-       case KRB5_PA_AUTHENTICATION_SET:
-               offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_PA_AUTHENTICATION_SET);
+       case KERBEROS_PA_AUTH_SET_SELECTED:
+               offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_PA_AUTHENTICATION_SET_ELEM);
                break;
-       case KRB5_PADATA_FX_FAST:
-               if(private_data->msg_type == KRB5_MSG_AS_REQ || private_data->msg_type == KRB5_MSG_TGS_REQ){
+       case KERBEROS_PA_FX_FAST:
+               if (kerberos_private_is_kdc_req(private_data)) {
                        offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_PA_FX_FAST_REQUEST);
                }else{
                        offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_PA_FX_FAST_REPLY);
                }
                break;
-       case KRB5_PADATA_ENCRYPTED_CHALLENGE:
+       case KERBEROS_PA_FX_ERROR:
+               offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_Applications);
+               break;
+       case KERBEROS_PA_ENCRYPTED_CHALLENGE:
                offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_EncryptedChallenge);
                break;
+       case KERBEROS_PA_SUPPORTED_ETYPES:
+               offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_PA_SUPPORTED_ENCTYPES);
+               break;
+       case KERBEROS_PA_PAC_OPTIONS:
+               offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_PA_PAC_OPTIONS);
+               break;
+       case KERBEROS_PA_REQ_ENC_PA_REP:
+               offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, dissect_kerberos_Checksum);
+               break;
        default:
                offset=dissect_ber_octet_string_wcb(FALSE, actx, sub_tree, tvb, offset,hf_index, NULL);
+               break;
        }
 
 
@@ -3213,9 +4025,9 @@ dissect_kerberos_SEQUENCE_OF_ENCTYPE(gboolean implicit_tag _U_, tvbuff_t *tvb _U
 
 static int
 dissect_kerberos_T_encryptedAuthorizationData_cipher(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 264 "./asn1/kerberos/kerberos.cnf"
+#line 312 "./asn1/kerberos/kerberos.cnf"
 #ifdef HAVE_KERBEROS
-       offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_index, dissect_krb5_decrypt_authenticator_data);
+       offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_index, dissect_krb5_decrypt_authorization_data);
 #else
   offset = dissect_ber_octet_string(implicit_tag, actx, tree, tvb, offset, hf_index,
                                        NULL);
@@ -3276,7 +4088,7 @@ static const ber_sequence_t KDC_REQ_BODY_sequence[] = {
 
 static int
 dissect_kerberos_KDC_REQ_BODY(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 386 "./asn1/kerberos/kerberos.cnf"
+#line 485 "./asn1/kerberos/kerberos.cnf"
        conversation_t *conversation;
 
        /*
@@ -3327,11 +4139,6 @@ dissect_kerberos_KDC_REQ(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offse
 
 static int
 dissect_kerberos_AS_REQ(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 430 "./asn1/kerberos/kerberos.cnf"
-       kerberos_private_data_t* private_data = kerberos_get_private_data(actx);
-       private_data->msg_type = KRB5_MSG_AS_REQ;
-
-
   offset = dissect_ber_tagged_type(implicit_tag, actx, tree, tvb, offset,
                                       hf_index, BER_CLASS_APP, 10, FALSE, dissect_kerberos_KDC_REQ);
 
@@ -3342,7 +4149,7 @@ dissect_kerberos_AS_REQ(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset
 
 static int
 dissect_kerberos_T_encryptedKDCREPData_cipher(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 272 "./asn1/kerberos/kerberos.cnf"
+#line 328 "./asn1/kerberos/kerberos.cnf"
 #ifdef HAVE_KERBEROS
        offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_index, dissect_krb5_decrypt_KDC_REP_data);
 #else
@@ -3397,11 +4204,6 @@ dissect_kerberos_KDC_REP(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offse
 
 static int
 dissect_kerberos_AS_REP(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 434 "./asn1/kerberos/kerberos.cnf"
-       kerberos_private_data_t* private_data = kerberos_get_private_data(actx);
-       private_data->msg_type = KRB5_MSG_AS_REP;
-
-
   offset = dissect_ber_tagged_type(implicit_tag, actx, tree, tvb, offset,
                                       hf_index, BER_CLASS_APP, 11, FALSE, dissect_kerberos_KDC_REP);
 
@@ -3412,11 +4214,6 @@ dissect_kerberos_AS_REP(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset
 
 static int
 dissect_kerberos_TGS_REQ(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 442 "./asn1/kerberos/kerberos.cnf"
-       kerberos_private_data_t* private_data = kerberos_get_private_data(actx);
-       private_data->msg_type = KRB5_MSG_TGS_REQ;
-
-
   offset = dissect_ber_tagged_type(implicit_tag, actx, tree, tvb, offset,
                                       hf_index, BER_CLASS_APP, 12, FALSE, dissect_kerberos_KDC_REQ);
 
@@ -3427,10 +4224,6 @@ dissect_kerberos_TGS_REQ(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offse
 
 static int
 dissect_kerberos_TGS_REP(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 446 "./asn1/kerberos/kerberos.cnf"
-       kerberos_private_data_t* private_data = kerberos_get_private_data(actx);
-       private_data->msg_type = KRB5_MSG_TGS_REP;
-
   offset = dissect_ber_tagged_type(implicit_tag, actx, tree, tvb, offset,
                                       hf_index, BER_CLASS_APP, 13, FALSE, dissect_kerberos_KDC_REP);
 
@@ -3455,22 +4248,57 @@ dissect_kerberos_APOptions(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int off
 }
 
 
-static const ber_sequence_t AP_REQ_U_sequence[] = {
-  { &hf_kerberos_pvno       , BER_CLASS_CON, 0, 0, dissect_kerberos_INTEGER_5 },
-  { &hf_kerberos_msg_type   , BER_CLASS_CON, 1, 0, dissect_kerberos_MESSAGE_TYPE },
-  { &hf_kerberos_ap_options , BER_CLASS_CON, 2, 0, dissect_kerberos_APOptions },
-  { &hf_kerberos_ticket     , BER_CLASS_CON, 3, 0, dissect_kerberos_Ticket },
-  { &hf_kerberos_authenticator_01, BER_CLASS_CON, 4, 0, dissect_kerberos_EncryptedAuthorizationData },
-  { NULL, 0, 0, 0, NULL }
-};
 
 static int
-dissect_kerberos_AP_REQ_U(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-  offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
-                                   AP_REQ_U_sequence, hf_index, ett_kerberos_AP_REQ_U);
-
-  return offset;
-}
+dissect_kerberos_T_encryptedAuthenticator_cipher(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
+#line 320 "./asn1/kerberos/kerberos.cnf"
+#ifdef HAVE_KERBEROS
+       offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_index, dissect_krb5_decrypt_authenticator_data);
+#else
+  offset = dissect_ber_octet_string(implicit_tag, actx, tree, tvb, offset, hf_index,
+                                       NULL);
+
+#endif
+       return offset;
+
+
+
+  return offset;
+}
+
+
+static const ber_sequence_t EncryptedAuthenticator_sequence[] = {
+  { &hf_kerberos_etype      , BER_CLASS_CON, 0, 0, dissect_kerberos_ENCTYPE },
+  { &hf_kerberos_kvno       , BER_CLASS_CON, 1, BER_FLAGS_OPTIONAL, dissect_kerberos_UInt32 },
+  { &hf_kerberos_encryptedAuthenticator_cipher, BER_CLASS_CON, 2, 0, dissect_kerberos_T_encryptedAuthenticator_cipher },
+  { NULL, 0, 0, 0, NULL }
+};
+
+static int
+dissect_kerberos_EncryptedAuthenticator(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
+  offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
+                                   EncryptedAuthenticator_sequence, hf_index, ett_kerberos_EncryptedAuthenticator);
+
+  return offset;
+}
+
+
+static const ber_sequence_t AP_REQ_U_sequence[] = {
+  { &hf_kerberos_pvno       , BER_CLASS_CON, 0, 0, dissect_kerberos_INTEGER_5 },
+  { &hf_kerberos_msg_type   , BER_CLASS_CON, 1, 0, dissect_kerberos_MESSAGE_TYPE },
+  { &hf_kerberos_ap_options , BER_CLASS_CON, 2, 0, dissect_kerberos_APOptions },
+  { &hf_kerberos_ticket     , BER_CLASS_CON, 3, 0, dissect_kerberos_Ticket },
+  { &hf_kerberos_authenticator_enc_part, BER_CLASS_CON, 4, 0, dissect_kerberos_EncryptedAuthenticator },
+  { NULL, 0, 0, 0, NULL }
+};
+
+static int
+dissect_kerberos_AP_REQ_U(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
+  offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
+                                   AP_REQ_U_sequence, hf_index, ett_kerberos_AP_REQ_U);
+
+  return offset;
+}
 
 
 
@@ -3486,7 +4314,7 @@ dissect_kerberos_AP_REQ(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset
 
 static int
 dissect_kerberos_T_encryptedAPREPData_cipher(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 288 "./asn1/kerberos/kerberos.cnf"
+#line 344 "./asn1/kerberos/kerberos.cnf"
 #ifdef HAVE_KERBEROS
        offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_index, dissect_krb5_decrypt_AP_REP_data);
 #else
@@ -3547,7 +4375,7 @@ dissect_kerberos_AP_REP(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset
 
 static int
 dissect_kerberos_T_kRB_SAFE_BODY_user_data(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 409 "./asn1/kerberos/kerberos.cnf"
+#line 508 "./asn1/kerberos/kerberos.cnf"
        tvbuff_t *new_tvb;
        offset=dissect_ber_octet_string(FALSE, actx, tree, tvb, offset, hf_index, &new_tvb);
        if (new_tvb) {
@@ -3609,7 +4437,7 @@ dissect_kerberos_KRB_SAFE(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offs
 
 static int
 dissect_kerberos_T_encryptedKrbPrivData_cipher(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 296 "./asn1/kerberos/kerberos.cnf"
+#line 352 "./asn1/kerberos/kerberos.cnf"
 #ifdef HAVE_KERBEROS
        offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_index, dissect_krb5_decrypt_PRIV_data);
 #else
@@ -3670,7 +4498,7 @@ dissect_kerberos_KRB_PRIV(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offs
 
 static int
 dissect_kerberos_T_encryptedKrbCredData_cipher(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 304 "./asn1/kerberos/kerberos.cnf"
+#line 360 "./asn1/kerberos/kerberos.cnf"
 #ifdef HAVE_KERBEROS
        offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_index, dissect_krb5_decrypt_CRED_data);
 #else
@@ -3796,14 +4624,14 @@ dissect_kerberos_METHOD_DATA(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int o
 
 static int
 dissect_kerberos_T_encrypted_pa_data(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 423 "./asn1/kerberos/kerberos.cnf"
+#line 522 "./asn1/kerberos/kerberos.cnf"
        kerberos_private_data_t* private_data = kerberos_get_private_data(actx);
        private_data->is_enc_padata = TRUE;
 
 
   offset = dissect_kerberos_METHOD_DATA(implicit_tag, tvb, offset, actx, tree, hf_index);
 
-#line 427 "./asn1/kerberos/kerberos.cnf"
+#line 526 "./asn1/kerberos/kerberos.cnf"
        private_data->is_enc_padata = FALSE;
 
 
@@ -3887,7 +4715,7 @@ dissect_kerberos_EncAPRepPart(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int
 
 static int
 dissect_kerberos_T_encKrbPrivPart_user_data(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 416 "./asn1/kerberos/kerberos.cnf"
+#line 515 "./asn1/kerberos/kerberos.cnf"
        tvbuff_t *new_tvb;
        offset=dissect_ber_octet_string(FALSE, actx, tree, tvb, offset, hf_index, &new_tvb);
        if (new_tvb) {
@@ -4099,18 +4927,19 @@ static const value_string kerberos_ERROR_CODE_vals[] = {
 
 static int
 dissect_kerberos_ERROR_CODE(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 91 "./asn1/kerberos/kerberos.cnf"
+#line 108 "./asn1/kerberos/kerberos.cnf"
+       kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
   offset = dissect_ber_integer(implicit_tag, actx, tree, tvb, offset, hf_index,
-                                                &krb5_errorcode);
+                                                &private_data->errorcode);
 
 
 
 
-#line 94 "./asn1/kerberos/kerberos.cnf"
-       if(krb5_errorcode) {
+#line 112 "./asn1/kerberos/kerberos.cnf"
+       if (private_data->errorcode) {
                col_add_fstr(actx->pinfo->cinfo, COL_INFO,
                        "KRB Error: %s",
-                       val_to_str(krb5_errorcode, krb5_error_codes,
+                       val_to_str(private_data->errorcode, krb5_error_codes,
                        "Unknown error code %#x"));
        }
 
@@ -4123,8 +4952,10 @@ dissect_kerberos_ERROR_CODE(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int of
 
 static int
 dissect_kerberos_T_e_data(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 104 "./asn1/kerberos/kerberos.cnf"
-       switch(krb5_errorcode){
+#line 122 "./asn1/kerberos/kerberos.cnf"
+       kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
+
+       switch (private_data->errorcode) {
        case KRB5_ET_KRB5KDC_ERR_BADOPTION:
        case KRB5_ET_KRB5KDC_ERR_CLIENT_REVOKED:
        case KRB5_ET_KRB5KDC_ERR_KEY_EXP:
@@ -4132,16 +4963,22 @@ dissect_kerberos_T_e_data(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offs
                /* ms windows kdc sends e-data of this type containing a "salt"
                 * that contains the nt_status code for these error codes.
                 */
+               private_data->try_nt_status = TRUE;
                offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_kerberos_e_data, dissect_kerberos_PA_DATA);
                break;
        case KRB5_ET_KRB5KDC_ERR_PREAUTH_REQUIRED:
        case KRB5_ET_KRB5KDC_ERR_PREAUTH_FAILED:
        case KRB5_ET_KRB5KDC_ERR_ETYPE_NOSUPP:
+       case KRB5_ET_KDC_ERR_WRONG_REALM:
+       case KRB5_ET_KDC_ERR_PREAUTH_EXPIRED:
+       case KRB5_ET_KDC_ERR_MORE_PREAUTH_DATA_REQUIRED:
+       case KRB5_ET_KDC_ERR_PREAUTH_BAD_AUTHENTICATION_SET:
+       case KRB5_ET_KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTIONS:
                offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_kerberos_e_data, dissect_kerberos_SEQUENCE_OF_PA_DATA);
-
                break;
        default:
                offset=dissect_ber_octet_string(FALSE, actx, tree, tvb, offset, hf_kerberos_e_data, NULL);
+               break;
        }
 
 
@@ -4181,11 +5018,6 @@ dissect_kerberos_KRB_ERROR_U(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int o
 
 static int
 dissect_kerberos_KRB_ERROR(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 438 "./asn1/kerberos/kerberos.cnf"
-       kerberos_private_data_t* private_data = kerberos_get_private_data(actx);
-       private_data->msg_type = KRB5_MSG_ERROR;
-
-
   offset = dissect_ber_tagged_type(implicit_tag, actx, tree, tvb, offset,
                                       hf_index, BER_CLASS_APP, 30, FALSE, dissect_kerberos_KRB_ERROR_U);
 
@@ -4225,26 +5057,10 @@ dissect_kerberos_Applications(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int
 }
 
 
-static const ber_sequence_t EncryptedData_sequence[] = {
-  { &hf_kerberos_etype      , BER_CLASS_CON, 0, 0, dissect_kerberos_ENCTYPE },
-  { &hf_kerberos_kvno       , BER_CLASS_CON, 1, BER_FLAGS_OPTIONAL, dissect_kerberos_UInt32 },
-  { &hf_kerberos_cipher     , BER_CLASS_CON, 2, 0, dissect_kerberos_OCTET_STRING },
-  { NULL, 0, 0, 0, NULL }
-};
-
-static int
-dissect_kerberos_EncryptedData(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-  offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
-                                   EncryptedData_sequence, hf_index, ett_kerberos_EncryptedData);
-
-  return offset;
-}
-
-
 
 static int
 dissect_kerberos_T_pA_ENC_TIMESTAMP_cipher(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 280 "./asn1/kerberos/kerberos.cnf"
+#line 336 "./asn1/kerberos/kerberos.cnf"
 #ifdef HAVE_KERBEROS
        offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_index, dissect_krb5_decrypt_PA_ENC_TIMESTAMP);
 #else
@@ -4276,9 +5092,24 @@ dissect_kerberos_PA_ENC_TIMESTAMP(gboolean implicit_tag _U_, tvbuff_t *tvb _U_,
 }
 
 
+static const ber_sequence_t PA_ENC_TS_ENC_sequence[] = {
+  { &hf_kerberos_patimestamp, BER_CLASS_CON, 0, 0, dissect_kerberos_KerberosTime },
+  { &hf_kerberos_pausec     , BER_CLASS_CON, 1, BER_FLAGS_OPTIONAL, dissect_kerberos_Microseconds },
+  { NULL, 0, 0, 0, NULL }
+};
+
+static int
+dissect_kerberos_PA_ENC_TS_ENC(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
+  offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
+                                   PA_ENC_TS_ENC_sequence, hf_index, ett_kerberos_PA_ENC_TS_ENC);
+
+  return offset;
+}
+
+
 static const ber_sequence_t ETYPE_INFO_ENTRY_sequence[] = {
   { &hf_kerberos_etype      , BER_CLASS_CON, 0, 0, dissect_kerberos_ENCTYPE },
-  { &hf_kerberos_salt       , BER_CLASS_CON, 1, BER_FLAGS_OPTIONAL, dissect_kerberos_OCTET_STRING },
+  { &hf_kerberos_info_salt  , BER_CLASS_CON, 1, BER_FLAGS_OPTIONAL, dissect_kerberos_OCTET_STRING },
   { NULL, 0, 0, 0, NULL }
 };
 
@@ -4306,7 +5137,7 @@ dissect_kerberos_ETYPE_INFO(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int of
 
 static const ber_sequence_t ETYPE_INFO2_ENTRY_sequence[] = {
   { &hf_kerberos_etype      , BER_CLASS_CON, 0, 0, dissect_kerberos_ENCTYPE },
-  { &hf_kerberos_salt_01    , BER_CLASS_CON, 1, BER_FLAGS_OPTIONAL, dissect_kerberos_KerberosString },
+  { &hf_kerberos_info2_salt , BER_CLASS_CON, 1, BER_FLAGS_OPTIONAL, dissect_kerberos_KerberosString },
   { &hf_kerberos_s2kparams  , BER_CLASS_CON, 2, BER_FLAGS_OPTIONAL, dissect_kerberos_OCTET_STRING },
   { NULL, 0, 0, 0, NULL }
 };
@@ -4343,6 +5174,29 @@ dissect_kerberos_AD_IF_RELEVANT(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, in
 
 
 
+static int
+dissect_kerberos_BOOLEAN(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
+  offset = dissect_ber_boolean(implicit_tag, actx, tree, tvb, offset, hf_index, NULL);
+
+  return offset;
+}
+
+
+static const ber_sequence_t PA_PAC_REQUEST_sequence[] = {
+  { &hf_kerberos_include_pac, BER_CLASS_CON, 0, 0, dissect_kerberos_BOOLEAN },
+  { NULL, 0, 0, 0, NULL }
+};
+
+static int
+dissect_kerberos_PA_PAC_REQUEST(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
+  offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
+                                   PA_PAC_REQUEST_sequence, hf_index, ett_kerberos_PA_PAC_REQUEST);
+
+  return offset;
+}
+
+
+
 static int
 dissect_kerberos_GeneralString(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
   offset = dissect_ber_restricted_string(implicit_tag, BER_UNI_TAG_GeneralString,
@@ -4373,7 +5227,7 @@ dissect_kerberos_PA_S4U2Self(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int o
 
 static int
 dissect_kerberos_T_subject_certificate(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-#line 379 "./asn1/kerberos/kerberos.cnf"
+#line 478 "./asn1/kerberos/kerberos.cnf"
        offset=dissect_ber_octet_string_wcb(implicit_tag, actx, tree, tvb, offset,hf_index, dissect_x509af_Certificate);
 
 
@@ -4426,24 +5280,58 @@ dissect_kerberos_PA_S4U_X509_USER(gboolean implicit_tag _U_, tvbuff_t *tvb _U_,
 }
 
 
+static const asn_namedbit PAC_OptionFlags_bits[] = {
+  {  0, &hf_kerberos_PAC_OptionFlags_claims, -1, -1, "claims", NULL },
+  {  1, &hf_kerberos_PAC_OptionFlags_branch_aware, -1, -1, "branch-aware", NULL },
+  {  2, &hf_kerberos_PAC_OptionFlags_forward_to_full_dc, -1, -1, "forward-to-full-dc", NULL },
+  {  3, &hf_kerberos_PAC_OptionFlags_resource_based_constrained_delegation, -1, -1, "resource-based-constrained-delegation", NULL },
+  { 0, NULL, 0, 0, NULL, NULL }
+};
 
 static int
-dissect_kerberos_BOOLEAN(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-  offset = dissect_ber_boolean(implicit_tag, actx, tree, tvb, offset, hf_index, NULL);
+dissect_kerberos_PAC_OptionFlags(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
+  offset = dissect_ber_bitstring(implicit_tag, actx, tree, tvb, offset,
+                                    PAC_OptionFlags_bits, hf_index, ett_kerberos_PAC_OptionFlags,
+                                    NULL);
 
   return offset;
 }
 
 
-static const ber_sequence_t KERB_PA_PAC_REQUEST_sequence[] = {
-  { &hf_kerberos_include_pac, BER_CLASS_CON, 0, 0, dissect_kerberos_BOOLEAN },
+static const ber_sequence_t PA_PAC_OPTIONS_sequence[] = {
+  { &hf_kerberos_option_flags, BER_CLASS_CON, 0, 0, dissect_kerberos_PAC_OptionFlags },
   { NULL, 0, 0, 0, NULL }
 };
 
 static int
-dissect_kerberos_KERB_PA_PAC_REQUEST(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
+dissect_kerberos_PA_PAC_OPTIONS(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
   offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
-                                   KERB_PA_PAC_REQUEST_sequence, hf_index, ett_kerberos_KERB_PA_PAC_REQUEST);
+                                   PA_PAC_OPTIONS_sequence, hf_index, ett_kerberos_PA_PAC_OPTIONS);
+
+  return offset;
+}
+
+
+static const ber_sequence_t KERB_AD_RESTRICTION_ENTRY_U_sequence[] = {
+  { &hf_kerberos_restriction_type, BER_CLASS_CON, 0, 0, dissect_kerberos_Int32 },
+  { &hf_kerberos_restriction, BER_CLASS_CON, 1, 0, dissect_kerberos_OCTET_STRING },
+  { NULL, 0, 0, 0, NULL }
+};
+
+static int
+dissect_kerberos_KERB_AD_RESTRICTION_ENTRY_U(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
+  offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
+                                   KERB_AD_RESTRICTION_ENTRY_U_sequence, hf_index, ett_kerberos_KERB_AD_RESTRICTION_ENTRY_U);
+
+  return offset;
+}
+
+
+
+static int
+dissect_kerberos_KERB_AD_RESTRICTION_ENTRY(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
+  offset = dissect_ber_tagged_type(implicit_tag, actx, tree, tvb, offset,
+                                      hf_index, BER_CLASS_UNI, 16, FALSE, dissect_kerberos_KERB_AD_RESTRICTION_ENTRY_U);
 
   return offset;
 }
@@ -4466,7 +5354,7 @@ dissect_kerberos_ChangePasswdData(gboolean implicit_tag _U_, tvbuff_t *tvb _U_,
 
 
 static const ber_sequence_t PA_AUTHENTICATION_SET_ELEM_sequence[] = {
-  { &hf_kerberos_pa_type    , BER_CLASS_CON, 0, 0, dissect_kerberos_Int32 },
+  { &hf_kerberos_pa_type    , BER_CLASS_CON, 0, 0, dissect_kerberos_PADATA_TYPE },
   { &hf_kerberos_pa_hint    , BER_CLASS_CON, 1, BER_FLAGS_OPTIONAL, dissect_kerberos_OCTET_STRING },
   { &hf_kerberos_pa_value   , BER_CLASS_CON, 2, BER_FLAGS_OPTIONAL, dissect_kerberos_OCTET_STRING },
   { NULL, 0, 0, 0, NULL }
@@ -4481,22 +5369,51 @@ dissect_kerberos_PA_AUTHENTICATION_SET_ELEM(gboolean implicit_tag _U_, tvbuff_t
 }
 
 
-static const ber_sequence_t PA_AUTHENTICATION_SET_sequence_of[1] = {
-  { &hf_kerberos_PA_AUTHENTICATION_SET_item, BER_CLASS_UNI, BER_UNI_TAG_SEQUENCE, BER_FLAGS_NOOWNTAG, dissect_kerberos_PA_AUTHENTICATION_SET_ELEM },
+static const value_string kerberos_KrbFastArmorTypes_vals[] = {
+  { KERBEROS_FX_FAST_RESERVED, "FX-FAST-reserved" },
+  { KERBEROS_FX_FAST_ARMOR_AP_REQUEST, "FX-FAST-ARMOR-AP-REQUEST" },
+  { 0, NULL }
 };
 
+
 static int
-dissect_kerberos_PA_AUTHENTICATION_SET(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-  offset = dissect_ber_sequence_of(implicit_tag, actx, tree, tvb, offset,
-                                      PA_AUTHENTICATION_SET_sequence_of, hf_index, ett_kerberos_PA_AUTHENTICATION_SET);
+dissect_kerberos_KrbFastArmorTypes(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
+#line 553 "./asn1/kerberos/kerberos.cnf"
+       kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
+  offset = dissect_ber_integer(implicit_tag, actx, tree, tvb, offset, hf_index,
+                                                &(private_data->fast_type));
+
+
+
+
+  return offset;
+}
+
+
+
+static int
+dissect_kerberos_T_armor_value(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
+#line 574 "./asn1/kerberos/kerberos.cnf"
+       kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
+
+       switch(private_data->fast_type){
+       case KERBEROS_FX_FAST_ARMOR_AP_REQUEST:
+               offset=dissect_ber_octet_string_wcb(implicit_tag, actx, tree, tvb, offset, hf_index, dissect_kerberos_Applications);
+               break;
+       default:
+               offset=dissect_ber_octet_string(implicit_tag, actx, tree, tvb, offset, hf_index, NULL);
+               break;
+       }
+
+
 
   return offset;
 }
 
 
 static const ber_sequence_t KrbFastArmor_sequence[] = {
-  { &hf_kerberos_armor_type , BER_CLASS_CON, 0, 0, dissect_kerberos_Int32 },
-  { &hf_kerberos_armor_value, BER_CLASS_CON, 1, 0, dissect_kerberos_OCTET_STRING },
+  { &hf_kerberos_armor_type , BER_CLASS_CON, 0, 0, dissect_kerberos_KrbFastArmorTypes },
+  { &hf_kerberos_armor_value, BER_CLASS_CON, 1, 0, dissect_kerberos_T_armor_value },
   { NULL, 0, 0, 0, NULL }
 };
 
@@ -4509,24 +5426,77 @@ dissect_kerberos_KrbFastArmor(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int
 }
 
 
+
+static int
+dissect_kerberos_T_encryptedKrbFastReq_cipher(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
+#line 529 "./asn1/kerberos/kerberos.cnf"
+#ifdef HAVE_KERBEROS
+       offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_index, dissect_krb5_decrypt_KrbFastReq);
+#else
+  offset = dissect_ber_octet_string(implicit_tag, actx, tree, tvb, offset, hf_index,
+                                       NULL);
+
+#endif
+       return offset;
+
+
+
+  return offset;
+}
+
+
+static const ber_sequence_t EncryptedKrbFastReq_sequence[] = {
+  { &hf_kerberos_etype      , BER_CLASS_CON, 0, 0, dissect_kerberos_ENCTYPE },
+  { &hf_kerberos_kvno       , BER_CLASS_CON, 1, BER_FLAGS_OPTIONAL, dissect_kerberos_UInt32 },
+  { &hf_kerberos_encryptedKrbFastReq_cipher, BER_CLASS_CON, 2, 0, dissect_kerberos_T_encryptedKrbFastReq_cipher },
+  { NULL, 0, 0, 0, NULL }
+};
+
+static int
+dissect_kerberos_EncryptedKrbFastReq(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
+  offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
+                                   EncryptedKrbFastReq_sequence, hf_index, ett_kerberos_EncryptedKrbFastReq);
+
+  return offset;
+}
+
+
 static const ber_sequence_t KrbFastArmoredReq_sequence[] = {
   { &hf_kerberos_armor      , BER_CLASS_CON, 0, BER_FLAGS_OPTIONAL, dissect_kerberos_KrbFastArmor },
   { &hf_kerberos_req_checksum, BER_CLASS_CON, 1, 0, dissect_kerberos_Checksum },
-  { &hf_kerberos_enc_fast_req, BER_CLASS_CON, 2, 0, dissect_kerberos_EncryptedData },
+  { &hf_kerberos_enc_fast_req, BER_CLASS_CON, 2, 0, dissect_kerberos_EncryptedKrbFastReq },
   { NULL, 0, 0, 0, NULL }
 };
 
 static int
 dissect_kerberos_KrbFastArmoredReq(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
+#line 557 "./asn1/kerberos/kerberos.cnf"
+       kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
+       gboolean fast_armor_request = FALSE;
+
+       if (!private_data->fast_armor_request) {
+               fast_armor_request = TRUE;
+               private_data->fast_armor_request = TRUE;
+       }
+
   offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
                                    KrbFastArmoredReq_sequence, hf_index, ett_kerberos_KrbFastArmoredReq);
 
+
+       if (fast_armor_request) {
+               krb5_fast_armor_key(actx->pinfo,
+                                   private_data->fast_armor_remote_subkey,
+                                   private_data->fast_armor_ticket_sessionkey);
+       }
+
+
+
   return offset;
 }
 
 
 static const ber_choice_t PA_FX_FAST_REQUEST_choice[] = {
-  {   0, &hf_kerberos_armored_data, BER_CLASS_CON, 0, 0, dissect_kerberos_KrbFastArmoredReq },
+  {   0, &hf_kerberos_armored_data_request, BER_CLASS_CON, 0, 0, dissect_kerberos_KrbFastArmoredReq },
   { 0, NULL, 0, 0, 0, NULL }
 };
 
@@ -4540,8 +5510,76 @@ dissect_kerberos_PA_FX_FAST_REQUEST(gboolean implicit_tag _U_, tvbuff_t *tvb _U_
 }
 
 
+static const asn_namedbit FastOptions_bits[] = {
+  {  0, &hf_kerberos_FastOptions_reserved, -1, -1, "reserved", NULL },
+  {  1, &hf_kerberos_FastOptions_hide_client_names, -1, -1, "hide-client-names", NULL },
+  { 16, &hf_kerberos_FastOptions_kdc_follow_referrals, -1, -1, "kdc-follow-referrals", NULL },
+  { 0, NULL, 0, 0, NULL, NULL }
+};
+
+static int
+dissect_kerberos_FastOptions(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
+  offset = dissect_ber_bitstring(implicit_tag, actx, tree, tvb, offset,
+                                    FastOptions_bits, hf_index, ett_kerberos_FastOptions,
+                                    NULL);
+
+  return offset;
+}
+
+
+static const ber_sequence_t KrbFastReq_sequence[] = {
+  { &hf_kerberos_fast_options, BER_CLASS_CON, 0, 0, dissect_kerberos_FastOptions },
+  { &hf_kerberos_padata     , BER_CLASS_CON, 1, 0, dissect_kerberos_SEQUENCE_OF_PA_DATA },
+  { &hf_kerberos_req_body   , BER_CLASS_CON, 2, 0, dissect_kerberos_KDC_REQ_BODY },
+  { NULL, 0, 0, 0, NULL }
+};
+
+static int
+dissect_kerberos_KrbFastReq(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
+  offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
+                                   KrbFastReq_sequence, hf_index, ett_kerberos_KrbFastReq);
+
+  return offset;
+}
+
+
+
+static int
+dissect_kerberos_T_encryptedKrbFastResponse_cipher(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
+#line 537 "./asn1/kerberos/kerberos.cnf"
+#ifdef HAVE_KERBEROS
+       offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_index, dissect_krb5_decrypt_KrbFastResponse);
+#else
+  offset = dissect_ber_octet_string(implicit_tag, actx, tree, tvb, offset, hf_index,
+                                       NULL);
+
+#endif
+       return offset;
+
+
+
+  return offset;
+}
+
+
+static const ber_sequence_t EncryptedKrbFastResponse_sequence[] = {
+  { &hf_kerberos_etype      , BER_CLASS_CON, 0, 0, dissect_kerberos_ENCTYPE },
+  { &hf_kerberos_kvno       , BER_CLASS_CON, 1, BER_FLAGS_OPTIONAL, dissect_kerberos_UInt32 },
+  { &hf_kerberos_encryptedKrbFastResponse_cipher, BER_CLASS_CON, 2, 0, dissect_kerberos_T_encryptedKrbFastResponse_cipher },
+  { NULL, 0, 0, 0, NULL }
+};
+
+static int
+dissect_kerberos_EncryptedKrbFastResponse(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
+  offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
+                                   EncryptedKrbFastResponse_sequence, hf_index, ett_kerberos_EncryptedKrbFastResponse);
+
+  return offset;
+}
+
+
 static const ber_sequence_t KrbFastArmoredRep_sequence[] = {
-  { &hf_kerberos_enc_fast_rep, BER_CLASS_CON, 0, 0, dissect_kerberos_EncryptedData },
+  { &hf_kerberos_enc_fast_rep, BER_CLASS_CON, 0, 0, dissect_kerberos_EncryptedKrbFastResponse },
   { NULL, 0, 0, 0, NULL }
 };
 
@@ -4555,7 +5593,7 @@ dissect_kerberos_KrbFastArmoredRep(gboolean implicit_tag _U_, tvbuff_t *tvb _U_,
 
 
 static const ber_choice_t PA_FX_FAST_REPLY_choice[] = {
-  {   0, &hf_kerberos_armored_data_01, BER_CLASS_CON, 0, 0, dissect_kerberos_KrbFastArmoredRep },
+  {   0, &hf_kerberos_armored_data_reply, BER_CLASS_CON, 0, 0, dissect_kerberos_KrbFastArmoredRep },
   { 0, NULL, 0, 0, 0, NULL }
 };
 
@@ -4570,16 +5608,93 @@ dissect_kerberos_PA_FX_FAST_REPLY(gboolean implicit_tag _U_, tvbuff_t *tvb _U_,
 
 
 
+static int
+dissect_kerberos_T_strengthen_key(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
+#line 586 "./asn1/kerberos/kerberos.cnf"
+       kerberos_private_data_t *private_data = kerberos_get_private_data(actx);
+       private_data->fast_strengthen_key_needed = TRUE;
+       private_data->fast_strengthen_key = NULL;
+  offset = dissect_kerberos_EncryptionKey(implicit_tag, tvb, offset, actx, tree, hf_index);
+
+       private_data->fast_strengthen_key_needed = FALSE;
+
+
+  return offset;
+}
+
+
+static const ber_sequence_t KrbFastFinished_sequence[] = {
+  { &hf_kerberos_timestamp  , BER_CLASS_CON, 0, 0, dissect_kerberos_KerberosTime },
+  { &hf_kerberos_usec       , BER_CLASS_CON, 1, 0, dissect_kerberos_Microseconds },
+  { &hf_kerberos_crealm     , BER_CLASS_CON, 2, 0, dissect_kerberos_Realm },
+  { &hf_kerberos_cname_01   , BER_CLASS_CON, 3, 0, dissect_kerberos_PrincipalName },
+  { &hf_kerberos_ticket_checksum, BER_CLASS_CON, 4, 0, dissect_kerberos_Checksum },
+  { NULL, 0, 0, 0, NULL }
+};
+
+static int
+dissect_kerberos_KrbFastFinished(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
+  offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
+                                   KrbFastFinished_sequence, hf_index, ett_kerberos_KrbFastFinished);
+
+  return offset;
+}
+
+
+static const ber_sequence_t KrbFastResponse_sequence[] = {
+  { &hf_kerberos_padata     , BER_CLASS_CON, 0, 0, dissect_kerberos_SEQUENCE_OF_PA_DATA },
+  { &hf_kerberos_strengthen_key, BER_CLASS_CON, 1, BER_FLAGS_OPTIONAL, dissect_kerberos_T_strengthen_key },
+  { &hf_kerberos_finished   , BER_CLASS_CON, 2, BER_FLAGS_OPTIONAL, dissect_kerberos_KrbFastFinished },
+  { &hf_kerberos_nonce      , BER_CLASS_CON, 3, 0, dissect_kerberos_UInt32 },
+  { NULL, 0, 0, 0, NULL }
+};
+
+static int
+dissect_kerberos_KrbFastResponse(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
+  offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
+                                   KrbFastResponse_sequence, hf_index, ett_kerberos_KrbFastResponse);
+
+  return offset;
+}
+
+
+
+static int
+dissect_kerberos_T_encryptedChallenge_cipher(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
+#line 545 "./asn1/kerberos/kerberos.cnf"
+#ifdef HAVE_KERBEROS
+       offset=dissect_ber_octet_string_wcb(FALSE, actx, tree, tvb, offset, hf_index, dissect_krb5_decrypt_EncryptedChallenge);
+#else
+  offset = dissect_ber_octet_string(implicit_tag, actx, tree, tvb, offset, hf_index,
+                                       NULL);
+
+#endif
+       return offset;
+
+
+
+  return offset;
+}
+
+
+static const ber_sequence_t EncryptedChallenge_sequence[] = {
+  { &hf_kerberos_etype      , BER_CLASS_CON, 0, 0, dissect_kerberos_ENCTYPE },
+  { &hf_kerberos_kvno       , BER_CLASS_CON, 1, BER_FLAGS_OPTIONAL, dissect_kerberos_UInt32 },
+  { &hf_kerberos_encryptedChallenge_cipher, BER_CLASS_CON, 2, 0, dissect_kerberos_T_encryptedChallenge_cipher },
+  { NULL, 0, 0, 0, NULL }
+};
+
 static int
 dissect_kerberos_EncryptedChallenge(gboolean implicit_tag _U_, tvbuff_t *tvb _U_, int offset _U_, asn1_ctx_t *actx _U_, proto_tree *tree _U_, int hf_index _U_) {
-  offset = dissect_kerberos_EncryptedData(implicit_tag, tvb, offset, actx, tree, hf_index);
+  offset = dissect_ber_sequence(implicit_tag, actx, tree, tvb, offset,
+                                   EncryptedChallenge_sequence, hf_index, ett_kerberos_EncryptedChallenge);
 
   return offset;
 }
 
 
 /*--- End of included file: packet-kerberos-fn.c ---*/
-#line 1887 "./asn1/kerberos/packet-kerberos-template.c"
+#line 2460 "./asn1/kerberos/packet-kerberos-template.c"
 
 /* Make wrappers around exported functions for now */
 int
@@ -4920,9 +6035,18 @@ void proto_register_kerberos(void) {
        { &hf_krb_pac_logon_info, {
                "PAC_LOGON_INFO", "kerberos.pac_logon_info", FT_BYTES, BASE_NONE,
                NULL, 0, "PAC_LOGON_INFO structure", HFILL }},
-       { &hf_krb_pac_credential_type, {
-               "PAC_CREDENTIAL_TYPE", "kerberos.pac_credential_type", FT_BYTES, BASE_NONE,
-               NULL, 0, "PAC_CREDENTIAL_TYPE structure", HFILL }},
+       { &hf_krb_pac_credential_data, {
+               "PAC_CREDENTIAL_DATA", "kerberos.pac_credential_data", FT_BYTES, BASE_NONE,
+               NULL, 0, "PAC_CREDENTIAL_DATA structure", HFILL }},
+       { &hf_krb_pac_credential_info, {
+               "PAC_CREDENTIAL_INFO", "kerberos.pac_credential_info", FT_BYTES, BASE_NONE,
+               NULL, 0, "PAC_CREDENTIAL_INFO structure", HFILL }},
+       { &hf_krb_pac_credential_info_version, {
+               "Version", "kerberos.pac_credential_info.version", FT_UINT32, BASE_DEC,
+               NULL, 0, NULL, HFILL }},
+       { &hf_krb_pac_credential_info_etype, {
+               "Etype", "kerberos.pac_credential_info.etype", FT_UINT32, BASE_DEC,
+               NULL, 0, NULL, HFILL }},
        { &hf_krb_pac_server_checksum, {
                "PAC_SERVER_CHECKSUM", "kerberos.pac_server_checksum", FT_BYTES, BASE_NONE,
                NULL, 0, "PAC_SERVER_CHECKSUM structure", HFILL }},
@@ -4959,6 +6083,54 @@ void proto_register_kerberos(void) {
        { &hf_krb_pac_upn_dns_name, {
                "DNS Name", "kerberos.pac.upn.dns_name", FT_STRING, BASE_NONE,
                NULL, 0, NULL, HFILL }},
+       { &hf_krb_pac_client_claims_info, {
+               "PAC_CLIENT_CLAIMS_INFO", "kerberos.pac_client_claims_info", FT_BYTES, BASE_NONE,
+               NULL, 0, "PAC_CLIENT_CLAIMS_INFO structure", HFILL }},
+       { &hf_krb_pac_device_info, {
+               "PAC_DEVICE_INFO", "kerberos.pac_device_info", FT_BYTES, BASE_NONE,
+               NULL, 0, "PAC_DEVICE_INFO structure", HFILL }},
+       { &hf_krb_pac_device_claims_info, {
+               "PAC_DEVICE_CLAIMS_INFO", "kerberos.pac_device_claims_info", FT_BYTES, BASE_NONE,
+               NULL, 0, "PAC_DEVICE_CLAIMS_INFO structure", HFILL }},
+       { &hf_krb_pa_supported_enctypes,
+         { "SupportedEnctypes", "kerberos.supported_entypes",
+           FT_UINT32, BASE_HEX, NULL, 0, NULL, HFILL }},
+       { &hf_krb_pa_supported_enctypes_des_cbc_crc,
+         { "des-cbc-crc", "kerberos.supported_entypes.des-cbc-crc",
+           FT_BOOLEAN, 32, TFS(&supported_tfs), 0x00000001, NULL, HFILL }},
+       { &hf_krb_pa_supported_enctypes_des_cbc_md5,
+         { "des-cbc-md5", "kerberos.supported_entypes.des-cbc-md5",
+           FT_BOOLEAN, 32, TFS(&supported_tfs), 0x00000002, NULL, HFILL }},
+       { &hf_krb_pa_supported_enctypes_rc4_hmac,
+         { "rc4-hmac", "kerberos.supported_entypes.rc4-hmac",
+           FT_BOOLEAN, 32, TFS(&supported_tfs), 0x00000004, NULL, HFILL }},
+       { &hf_krb_pa_supported_enctypes_aes128_cts_hmac_sha1_96,
+         { "aes128-cts-hmac-sha1-96", "kerberos.supported_entypes.aes128-cts-hmac-sha1-96",
+           FT_BOOLEAN, 32, TFS(&supported_tfs), 0x00000008, NULL, HFILL }},
+       { &hf_krb_pa_supported_enctypes_aes256_cts_hmac_sha1_96,
+         { "aes256-cts-hmac-sha1-96", "kerberos.supported_entypes.aes256-cts-hmac-sha1-96",
+           FT_BOOLEAN, 32, TFS(&supported_tfs), 0x00000010, NULL, HFILL }},
+       { &hf_krb_pa_supported_enctypes_fast_supported,
+         { "fast-supported", "kerberos.supported_entypes.fast-supported",
+           FT_BOOLEAN, 32, TFS(&supported_tfs), 0x00010000, NULL, HFILL }},
+       { &hf_krb_pa_supported_enctypes_compound_identity_supported,
+         { "compound-identity-supported", "kerberos.supported_entypes.compound-identity-supported",
+           FT_BOOLEAN, 32, TFS(&supported_tfs), 0x00020000, NULL, HFILL }},
+       { &hf_krb_pa_supported_enctypes_claims_supported,
+         { "claims-supported", "kerberos.supported_entypes.claims-supported",
+           FT_BOOLEAN, 32, TFS(&supported_tfs), 0x00040000, NULL, HFILL }},
+       { &hf_krb_pa_supported_enctypes_resource_sid_compression_disabled,
+         { "resource-sid-compression-disabled", "kerberos.supported_entypes.resource-sid-compression-disabled",
+           FT_BOOLEAN, 32, TFS(&supported_tfs), 0x00080000, NULL, HFILL }},
+       { &hf_krb_ad_ap_options,
+         { "AD-AP-Options", "kerberos.ad_ap_options",
+           FT_UINT32, BASE_HEX, NULL, 0, NULL, HFILL }},
+       { &hf_krb_ad_ap_options_cbt,
+         { "ChannelBindings", "kerberos.ad_ap_options.cbt",
+           FT_BOOLEAN, 32, TFS(&set_tfs), 0x00004000, NULL, HFILL }},
+       { &hf_krb_ad_target_principal, {
+               "Target Principal", "kerberos.ad_target_principal", FT_STRING, BASE_NONE,
+               NULL, 0, NULL, HFILL }},
 
 
 /*--- Included file: packet-kerberos-hfarr.c ---*/
@@ -5081,8 +6253,8 @@ void proto_register_kerberos(void) {
         NULL, HFILL }},
     { &hf_kerberos_ad_type,
       { "ad-type", "kerberos.ad_type",
-        FT_INT32, BASE_DEC, VALS(krb5_ad_types), 0,
-        NULL, HFILL }},
+        FT_INT32, BASE_DEC, VALS(kerberos_AUTHDATA_TYPE_vals), 0,
+        "AUTHDATA_TYPE", HFILL }},
     { &hf_kerberos_ad_data,
       { "ad-data", "kerberos.ad_data",
         FT_BYTES, BASE_NONE, NULL, 0,
@@ -5095,18 +6267,6 @@ void proto_register_kerberos(void) {
       { "padata-value", "kerberos.padata_value",
         FT_BYTES, BASE_NONE, NULL, 0,
         NULL, HFILL }},
-    { &hf_kerberos_etype,
-      { "etype", "kerberos.etype",
-        FT_INT32, BASE_DEC, VALS(kerberos_ENCTYPE_vals), 0,
-        "ENCTYPE", HFILL }},
-    { &hf_kerberos_kvno,
-      { "kvno", "kerberos.kvno",
-        FT_UINT32, BASE_DEC, NULL, 0,
-        "UInt32", HFILL }},
-    { &hf_kerberos_cipher,
-      { "cipher", "kerberos.cipher",
-        FT_BYTES, BASE_NONE, NULL, 0,
-        "OCTET_STRING", HFILL }},
     { &hf_kerberos_keytype,
       { "keytype", "kerberos.keytype",
         FT_INT32, BASE_DEC, NULL, 0,
@@ -5123,6 +6283,14 @@ void proto_register_kerberos(void) {
       { "checksum", "kerberos.checksum",
         FT_BYTES, BASE_NONE, NULL, 0,
         NULL, HFILL }},
+    { &hf_kerberos_etype,
+      { "etype", "kerberos.etype",
+        FT_INT32, BASE_DEC, VALS(kerberos_ENCTYPE_vals), 0,
+        "ENCTYPE", HFILL }},
+    { &hf_kerberos_kvno,
+      { "kvno", "kerberos.kvno",
+        FT_UINT32, BASE_DEC, NULL, 0,
+        "UInt32", HFILL }},
     { &hf_kerberos_encryptedTicketData_cipher,
       { "cipher", "kerberos.cipher",
         FT_BYTES, BASE_NONE, NULL, 0,
@@ -5131,6 +6299,10 @@ void proto_register_kerberos(void) {
       { "cipher", "kerberos.cipher",
         FT_BYTES, BASE_NONE, NULL, 0,
         "T_encryptedAuthorizationData_cipher", HFILL }},
+    { &hf_kerberos_encryptedAuthenticator_cipher,
+      { "cipher", "kerberos.cipher",
+        FT_BYTES, BASE_NONE, NULL, 0,
+        "T_encryptedAuthenticator_cipher", HFILL }},
     { &hf_kerberos_encryptedKDCREPData_cipher,
       { "cipher", "kerberos.cipher",
         FT_BYTES, BASE_NONE, NULL, 0,
@@ -5315,10 +6487,10 @@ void proto_register_kerberos(void) {
       { "ap-options", "kerberos.ap_options",
         FT_BYTES, BASE_NONE, NULL, 0,
         "APOptions", HFILL }},
-    { &hf_kerberos_authenticator_01,
+    { &hf_kerberos_authenticator_enc_part,
       { "authenticator", "kerberos.authenticator_element",
         FT_NONE, BASE_NONE, NULL, 0,
-        "EncryptedAuthorizationData", HFILL }},
+        "EncryptedAuthenticator", HFILL }},
     { &hf_kerberos_authenticator_vno,
       { "authenticator-vno", "kerberos.authenticator_vno",
         FT_UINT32, BASE_DEC, NULL, 0,
@@ -5439,7 +6611,15 @@ void proto_register_kerberos(void) {
       { "cipher", "kerberos.cipher",
         FT_BYTES, BASE_NONE, NULL, 0,
         "T_pA_ENC_TIMESTAMP_cipher", HFILL }},
-    { &hf_kerberos_salt,
+    { &hf_kerberos_patimestamp,
+      { "patimestamp", "kerberos.patimestamp",
+        FT_STRING, BASE_NONE, NULL, 0,
+        "KerberosTime", HFILL }},
+    { &hf_kerberos_pausec,
+      { "pausec", "kerberos.pausec",
+        FT_UINT32, BASE_DEC, NULL, 0,
+        "Microseconds", HFILL }},
+    { &hf_kerberos_info_salt,
       { "salt", "kerberos.salt",
         FT_BYTES, BASE_NONE, NULL, 0,
         "OCTET_STRING", HFILL }},
@@ -5447,7 +6627,7 @@ void proto_register_kerberos(void) {
       { "ETYPE-INFO-ENTRY", "kerberos.ETYPE_INFO_ENTRY_element",
         FT_NONE, BASE_NONE, NULL, 0,
         NULL, HFILL }},
-    { &hf_kerberos_salt_01,
+    { &hf_kerberos_info2_salt,
       { "salt", "kerberos.salt",
         FT_STRING, BASE_NONE, NULL, 0,
         "KerberosString", HFILL }},
@@ -5459,6 +6639,10 @@ void proto_register_kerberos(void) {
       { "ETYPE-INFO2-ENTRY", "kerberos.ETYPE_INFO2_ENTRY_element",
         FT_NONE, BASE_NONE, NULL, 0,
         NULL, HFILL }},
+    { &hf_kerberos_include_pac,
+      { "include-pac", "kerberos.include_pac",
+        FT_BOOLEAN, BASE_NONE, NULL, 0,
+        "BOOLEAN", HFILL }},
     { &hf_kerberos_name,
       { "name", "kerberos.name_element",
         FT_NONE, BASE_NONE, NULL, 0,
@@ -5487,10 +6671,18 @@ void proto_register_kerberos(void) {
       { "options", "kerberos.options",
         FT_BYTES, BASE_NONE, NULL, 0,
         "BIT_STRING", HFILL }},
-    { &hf_kerberos_include_pac,
-      { "include-pac", "kerberos.include_pac",
-        FT_BOOLEAN, BASE_NONE, NULL, 0,
-        "BOOLEAN", HFILL }},
+    { &hf_kerberos_option_flags,
+      { "option-flags", "kerberos.option_flags",
+        FT_BYTES, BASE_NONE, NULL, 0,
+        "PAC_OptionFlags", HFILL }},
+    { &hf_kerberos_restriction_type,
+      { "restriction-type", "kerberos.restriction_type",
+        FT_INT32, BASE_DEC, NULL, 0,
+        "Int32", HFILL }},
+    { &hf_kerberos_restriction,
+      { "restriction", "kerberos.restriction",
+        FT_BYTES, BASE_NONE, NULL, 0,
+        "OCTET_STRING", HFILL }},
     { &hf_kerberos_newpasswd,
       { "newpasswd", "kerberos.newpasswd",
         FT_BYTES, BASE_NONE, NULL, 0,
@@ -5503,14 +6695,10 @@ void proto_register_kerberos(void) {
       { "targrealm", "kerberos.targrealm",
         FT_STRING, BASE_NONE, NULL, 0,
         "Realm", HFILL }},
-    { &hf_kerberos_PA_AUTHENTICATION_SET_item,
-      { "PA-AUTHENTICATION-SET-ELEM", "kerberos.PA_AUTHENTICATION_SET_ELEM_element",
-        FT_NONE, BASE_NONE, NULL, 0,
-        NULL, HFILL }},
     { &hf_kerberos_pa_type,
       { "pa-type", "kerberos.pa_type",
-        FT_INT32, BASE_DEC, NULL, 0,
-        "Int32", HFILL }},
+        FT_INT32, BASE_DEC, VALS(kerberos_PADATA_TYPE_vals), 0,
+        "PADATA_TYPE", HFILL }},
     { &hf_kerberos_pa_hint,
       { "pa-hint", "kerberos.pa_hint",
         FT_BYTES, BASE_NONE, NULL, 0,
@@ -5521,16 +6709,20 @@ void proto_register_kerberos(void) {
         "OCTET_STRING", HFILL }},
     { &hf_kerberos_armor_type,
       { "armor-type", "kerberos.armor_type",
-        FT_INT32, BASE_DEC, NULL, 0,
-        "Int32", HFILL }},
+        FT_INT32, BASE_DEC, VALS(kerberos_KrbFastArmorTypes_vals), 0,
+        "KrbFastArmorTypes", HFILL }},
     { &hf_kerberos_armor_value,
       { "armor-value", "kerberos.armor_value",
         FT_BYTES, BASE_NONE, NULL, 0,
-        "OCTET_STRING", HFILL }},
-    { &hf_kerberos_armored_data,
+        NULL, HFILL }},
+    { &hf_kerberos_armored_data_request,
       { "armored-data", "kerberos.armored_data_element",
         FT_NONE, BASE_NONE, NULL, 0,
         "KrbFastArmoredReq", HFILL }},
+    { &hf_kerberos_encryptedKrbFastReq_cipher,
+      { "cipher", "kerberos.cipher",
+        FT_BYTES, BASE_NONE, NULL, 0,
+        "T_encryptedKrbFastReq_cipher", HFILL }},
     { &hf_kerberos_armor,
       { "armor", "kerberos.armor_element",
         FT_NONE, BASE_NONE, NULL, 0,
@@ -5542,15 +6734,39 @@ void proto_register_kerberos(void) {
     { &hf_kerberos_enc_fast_req,
       { "enc-fast-req", "kerberos.enc_fast_req_element",
         FT_NONE, BASE_NONE, NULL, 0,
-        "EncryptedData", HFILL }},
-    { &hf_kerberos_armored_data_01,
+        "EncryptedKrbFastReq", HFILL }},
+    { &hf_kerberos_fast_options,
+      { "fast-options", "kerberos.fast_options",
+        FT_BYTES, BASE_NONE, NULL, 0,
+        "FastOptions", HFILL }},
+    { &hf_kerberos_armored_data_reply,
       { "armored-data", "kerberos.armored_data_element",
         FT_NONE, BASE_NONE, NULL, 0,
         "KrbFastArmoredRep", HFILL }},
+    { &hf_kerberos_encryptedKrbFastResponse_cipher,
+      { "cipher", "kerberos.cipher",
+        FT_BYTES, BASE_NONE, NULL, 0,
+        "T_encryptedKrbFastResponse_cipher", HFILL }},
     { &hf_kerberos_enc_fast_rep,
       { "enc-fast-rep", "kerberos.enc_fast_rep_element",
         FT_NONE, BASE_NONE, NULL, 0,
-        "EncryptedData", HFILL }},
+        "EncryptedKrbFastResponse", HFILL }},
+    { &hf_kerberos_strengthen_key,
+      { "strengthen-key", "kerberos.strengthen_key_element",
+        FT_NONE, BASE_NONE, NULL, 0,
+        NULL, HFILL }},
+    { &hf_kerberos_finished,
+      { "finished", "kerberos.finished_element",
+        FT_NONE, BASE_NONE, NULL, 0,
+        "KrbFastFinished", HFILL }},
+    { &hf_kerberos_ticket_checksum,
+      { "ticket-checksum", "kerberos.ticket_checksum_element",
+        FT_NONE, BASE_NONE, NULL, 0,
+        "Checksum", HFILL }},
+    { &hf_kerberos_encryptedChallenge_cipher,
+      { "cipher", "kerberos.cipher",
+        FT_BYTES, BASE_NONE, NULL, 0,
+        "T_encryptedChallenge_cipher", HFILL }},
     { &hf_kerberos_APOptions_reserved,
       { "reserved", "kerberos.reserved",
         FT_BOOLEAN, 8, NULL, 0x80,
@@ -5759,9 +6975,37 @@ void proto_register_kerberos(void) {
       { "validate", "kerberos.validate",
         FT_BOOLEAN, 8, NULL, 0x01,
         NULL, HFILL }},
+    { &hf_kerberos_PAC_OptionFlags_claims,
+      { "claims", "kerberos.claims",
+        FT_BOOLEAN, 8, NULL, 0x80,
+        NULL, HFILL }},
+    { &hf_kerberos_PAC_OptionFlags_branch_aware,
+      { "branch-aware", "kerberos.branch-aware",
+        FT_BOOLEAN, 8, NULL, 0x40,
+        NULL, HFILL }},
+    { &hf_kerberos_PAC_OptionFlags_forward_to_full_dc,
+      { "forward-to-full-dc", "kerberos.forward-to-full-dc",
+        FT_BOOLEAN, 8, NULL, 0x20,
+        NULL, HFILL }},
+    { &hf_kerberos_PAC_OptionFlags_resource_based_constrained_delegation,
+      { "resource-based-constrained-delegation", "kerberos.resource-based-constrained-delegation",
+        FT_BOOLEAN, 8, NULL, 0x10,
+        NULL, HFILL }},
+    { &hf_kerberos_FastOptions_reserved,
+      { "reserved", "kerberos.reserved",
+        FT_BOOLEAN, 8, NULL, 0x80,
+        NULL, HFILL }},
+    { &hf_kerberos_FastOptions_hide_client_names,
+      { "hide-client-names", "kerberos.hide-client-names",
+        FT_BOOLEAN, 8, NULL, 0x40,
+        NULL, HFILL }},
+    { &hf_kerberos_FastOptions_kdc_follow_referrals,
+      { "kdc-follow-referrals", "kerberos.kdc-follow-referrals",
+        FT_BOOLEAN, 8, NULL, 0x80,
+        NULL, HFILL }},
 
 /*--- End of included file: packet-kerberos-hfarr.c ---*/
-#line 2268 "./asn1/kerberos/packet-kerberos-template.c"
+#line 2898 "./asn1/kerberos/packet-kerberos-template.c"
        };
 
        /* List of subtrees */
@@ -5772,11 +7016,14 @@ void proto_register_kerberos(void) {
                &ett_krb_pac_drep,
                &ett_krb_pac_midl_blob,
                &ett_krb_pac_logon_info,
+               &ett_krb_pac_credential_info,
                &ett_krb_pac_s4u_delegation_info,
                &ett_krb_pac_upn_dns_info,
                &ett_krb_pac_server_checksum,
                &ett_krb_pac_privsvr_checksum,
                &ett_krb_pac_client_info_type,
+               &ett_krb_pa_supported_enctypes,
+               &ett_krb_ad_ap_options,
 
 /*--- Included file: packet-kerberos-ettarr.c ---*/
 #line 1 "./asn1/kerberos/packet-kerberos-ettarr.c"
@@ -5792,11 +7039,11 @@ void proto_register_kerberos(void) {
     &ett_kerberos_AuthorizationData,
     &ett_kerberos_AuthorizationData_item,
     &ett_kerberos_PA_DATA,
-    &ett_kerberos_EncryptedData,
     &ett_kerberos_EncryptionKey,
     &ett_kerberos_Checksum,
     &ett_kerberos_EncryptedTicketData,
     &ett_kerberos_EncryptedAuthorizationData,
+    &ett_kerberos_EncryptedAuthenticator,
     &ett_kerberos_EncryptedKDCREPData,
     &ett_kerberos_EncryptedAPREPData,
     &ett_kerberos_EncryptedKrbPrivData,
@@ -5828,6 +7075,7 @@ void proto_register_kerberos(void) {
     &ett_kerberos_KRB_ERROR_U,
     &ett_kerberos_METHOD_DATA,
     &ett_kerberos_PA_ENC_TIMESTAMP,
+    &ett_kerberos_PA_ENC_TS_ENC,
     &ett_kerberos_ETYPE_INFO_ENTRY,
     &ett_kerberos_ETYPE_INFO,
     &ett_kerberos_ETYPE_INFO2_ENTRY,
@@ -5835,21 +7083,30 @@ void proto_register_kerberos(void) {
     &ett_kerberos_APOptions,
     &ett_kerberos_TicketFlags,
     &ett_kerberos_KDCOptions,
+    &ett_kerberos_PA_PAC_REQUEST,
     &ett_kerberos_PA_S4U2Self,
     &ett_kerberos_PA_S4U_X509_USER,
     &ett_kerberos_S4UUserID,
-    &ett_kerberos_KERB_PA_PAC_REQUEST,
+    &ett_kerberos_PAC_OptionFlags,
+    &ett_kerberos_PA_PAC_OPTIONS,
+    &ett_kerberos_KERB_AD_RESTRICTION_ENTRY_U,
     &ett_kerberos_ChangePasswdData,
-    &ett_kerberos_PA_AUTHENTICATION_SET,
     &ett_kerberos_PA_AUTHENTICATION_SET_ELEM,
     &ett_kerberos_KrbFastArmor,
     &ett_kerberos_PA_FX_FAST_REQUEST,
+    &ett_kerberos_EncryptedKrbFastReq,
     &ett_kerberos_KrbFastArmoredReq,
+    &ett_kerberos_KrbFastReq,
+    &ett_kerberos_FastOptions,
     &ett_kerberos_PA_FX_FAST_REPLY,
+    &ett_kerberos_EncryptedKrbFastResponse,
     &ett_kerberos_KrbFastArmoredRep,
+    &ett_kerberos_KrbFastResponse,
+    &ett_kerberos_KrbFastFinished,
+    &ett_kerberos_EncryptedChallenge,
 
 /*--- End of included file: packet-kerberos-ettarr.c ---*/
-#line 2284 "./asn1/kerberos/packet-kerberos-template.c"
+#line 2917 "./asn1/kerberos/packet-kerberos-template.c"
        };
 
        static ei_register_info ei[] = {