http://bugs.winehq.org/show_bug.cgi?id=37063
--- Comment #3 from dwmw2@infradead.org dwmw2@infradead.org --- I've made the DecryptMessage part work in wine by passing a SECBUFFER_TOKEN of 16 bytes and the rest in a SECBUFFER_DATA. And that works for NTLM under Windows too.
However, even if I generalise that to use sizes.cbMaxSignature instead of a hard-coded 16, it doesn't work for Kerberos. I receive a 29-byte encrypted message, pass the first 28 of it in the SECBUFFER_TOKEN and the next in the SECBUFFER_DATA, and Windows still doesn't like it; I get SEC_E_MESSAGE_ALTERED.
I can't find where SECBUFFER_STREAM is even documented — it isn't mentioned at http://msdn.microsoft.com/en-us/library/windows/desktop/aa379814%28v=vs.85%2...
Neither can I recall why I'm using it; I have a vague recollection of finding a mailing list archive somewhere, where the lack of good documentation on this was lamented and someone authoritative said this was the way to do it... which does appear to be true, under Windows.
At http://msdn.microsoft.com/en-us/library/windows/desktop/aa375205%28v=vs.85%2... another layout (SECBUFFER_DATA, SECBUFFER_EMPTY*3) is used... which doesn't actually work under Wine *or* Windows.