[cifs-protocol] [REG:116052814221908] Validated-Writes of servicePrincipalNames
Bryan Burgin
bburgin at microsoft.com
Sat May 28 16:55:51 UTC 2016
[Dochelp to bcc]
[+Casemail]
Hi Metze
Thank you for your question. We created SR 116052814221908 to track this issue. An engineer will contact you soon.
Bryan
-----Original Message-----
From: Stefan Metzmacher [mailto:metze at samba.org]
Sent: Friday, May 27, 2016 9:57 AM
To: Interoperability Documentation Help <dochelp at microsoft.com>; cifs-protocol at lists.samba.org
Subject: Validated-Writes of servicePrincipalNames
Hi DocHelp,
we have seen client registering servicePrincipalNames like MSSQLSvc/YOURHOST.TESTDOMAIN.COM:SOPHOS.
We're rejecting them. As we didn't know about the :port part.
As MS-ADTS 3.1.1.5.3.1.1.4 servicePrincipalName doesn't specify this optional part.
Testing against a Windows DC shows that only numeric characters are allowed after ':'. It seems it doesn't need to be a valid tcp/udp port number. It works with '99999'.
As I also found a number of google hits were people use things like:
MSSQLSvc/YOURHOST.TESTDOMAIN.COM:MSSQLSERVER2008 or others with non numeric :port parts.
Can update the MS-ADTS 3.1.1.5.3.1.1.4 servicePrincipalName section to be more detailed with what is and what is not allowed, maybe together with some examples.
https://msdn.microsoft.com/en-us/library/ms191153.aspx contains some information, but the following is a bit unclear to me:
MSSQLSvc/FQDN:[port|instancename]
That should allow "MSSQLSvc/FQDN:SOMENAME" or it has to be
MSSQLSvc/FQDN[:port][/instancename]
or
MSSQLSvc/FQDN[:port|/instancename]
It would be nice to get some hints what we have to implement.
Thanks!
metze
More information about the cifs-protocol
mailing list