[cifs-protocol] [EXTERNAL] Re: [MS-KILE] Certificate strings - but nothing is said as to how these strings are to be derived from the client’s certificate - TrackingID#2308180010001826

Jeff McCashland (He/him) jeffm at microsoft.com
Tue Aug 22 21:25:14 UTC 2023 

Hi Joseph,

Thank you for the information. 

It appears the certificate strings array needs to contain the msDS-ClaimSource that you mentioned, which may have values such as 'AD', 'Certificate', or 'TransformPolicy'. 

I will see what more I can find out. 

Best regards,
Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Protocol Open Specifications Team
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada)
Local country phone number found here: http://support.microsoft.com/globalenglish | Extension 1138300

-----Original Message-----
From: Joseph Sutton <jsutton at samba.org> 
Sent: Monday, August 21, 2023 11:30 PM
To: Jeff McCashland (He/him) <jeffm at microsoft.com>; cifs-protocol at lists.samba.org
Cc: Microsoft Support <supportmail at microsoft.com>
Subject: [EXTERNAL] Re: [MS-KILE] Certificate strings - but nothing is said as to how these strings are to be derived from the client’s certificate - TrackingID#2308180010001826

[You don't often get email from jsutton at samba.org. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]

Hi,

I have not managed to have Windows generate these certificate strings myself, but I imagine the procedure looks something like the following.

First, create a claim type like so:

dn: CN=ExampleClaim,CN=Claim Types,CN=Claims
   Configuration,CN=Services,CN=Configuration,DC=example,DC=com
changetype: add
objectClass: msDS-ClaimType
Enabled: TRUE
msDS-ClaimIsSingleValued: TRUE
msDS-ClaimSource: (what value should this have? — see below.)
msDS-ClaimSourceType: Certificate
msDS-ClaimTypeAppliesToClass:
   CN=User,CN=Schema,CN=Configuration,DC=example,DC=com
msDS-ClaimTypeAppliesToClass:
   CN=Computer,CN=Schema,CN=Configuration,DC=example,DC=com
msDS-ClaimValueType: 6

Then, having installed and set up Certificate Services on the Windows server, perform a Kerberos AS-REQ using PKINIT. If the KDC generates the certificate strings as specified in [MS-ADTS], the claim ought now to be in the PAC_CLIENT_CLAIMS_INFO PAC buffer in the TGT. More pertinently (from an end user’s perspective), with the claim in the PAC we should be authorized to access resources requiring possession of said claim.

I’ve followed these steps as far as making the Kerberos AS-REQ.

The part of all this that I’m quite uncertain about is how to set the attribute “msDS-ClaimSource”. According to the documentation for
GetCertificateSourcedClaims() ([MS-ADTS] section 3.1.1.11.2.3), a certificate-sourced claim will be issued only if this attribute matches one of the certificate strings. But, as of yet, I haven’t been able to discover what value this attribute should hold for that to happen, not knowing how the certificate strings are derived. That’s what I’m ultimately trying to find out.

Regards,
Joseph

On 22/08/23 6:23 am, Jeff McCashland (He/him) wrote:
> Hi Joseph,
>
> I think I will need to do some debugging to find the answer to your question. Do you have a use case or scenario that would use this mechanism? Can you suggest a configuration and repro steps I can use to generate the exchange?
>
> Best regards,
> Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft 
> Protocol Open Specifications Team
> Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: 
> (UTC-08:00) Pacific Time (US and Canada) Local country phone number 
> found here: 
> https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsuppo
> rt.microsoft.com%2Fglobalenglish&data=05%7C01%7Cjeffm%40microsoft.com%
> 7C5a06ba8e5597421a203a08dba2d94bcd%7C72f988bf86f141af91ab2d7cd011db47%
> 7C1%7C0%7C638282826407736325%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwM
> DAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdat
> a=tVzSZdkLQwee9MFR%2Foz07SNAVeQS%2BWj6r6etmXaLddE%3D&reserved=0 | 
> Extension 1138300
>
> -----Original Message-----
> From: Jeff McCashland (He/him)
> Sent: Friday, August 18, 2023 9:52 AM
> To: Joseph Sutton <jsutton at samba.org>; cifs-protocol at lists.samba.org
> Cc: Microsoft Support <supportmail at microsoft.com>
> Subject: RE: [MS-KILE] Certificate strings - but nothing is said as to 
> how these strings are to be derived from the client’s certificate - 
> TrackingID#2308180010001826
>
> [HC to BCC]
>
> Hi Joseph,
>
> I will research your question and let you know what I find.
>
> Best regards,
> Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft 
> Protocol Open Specifications Team
> Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: 
> (UTC-08:00) Pacific Time (US and Canada) Local country phone number 
> found here: 
> https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsuppo
> rt.microsoft.com%2Fglobalenglish&data=05%7C01%7Cjeffm%40microsoft.com%
> 7C5a06ba8e5597421a203a08dba2d94bcd%7C72f988bf86f141af91ab2d7cd011db47%
> 7C1%7C0%7C638282826407736325%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwM
> DAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdat
> a=tVzSZdkLQwee9MFR%2Foz07SNAVeQS%2BWj6r6etmXaLddE%3D&reserved=0 | 
> Extension 1138300
>
> -----Original Message-----
> From: Hung-Chun Yu <HungChun.Yu at microsoft.com>
> Sent: Thursday, August 17, 2023 9:44 PM
> To: Joseph Sutton <jsutton at samba.org>; cifs-protocol at lists.samba.org
> Cc: Microsoft Support <supportmail at microsoft.com>; Hung-Chun Yu 
> <HungChun.Yu at microsoft.com>
> Subject: [MS-KILE] Certificate strings - but nothing is said as to how 
> these strings are to be derived from the client’s certificate - 
> TrackingID#2308180010001826
>
> [bcc dochelp]
> Hi Joseph
>
> Thank you for contacting Protocol Support. We created SR Case - TrackingID#2308180010001826. Do leave this tag in the subject line for future references.
> One of our engineers will be contacting you shortly.
>
> Hung-Chun Yu
> hunyu at microsoft.com
>
> -----Original Message-----
> From: Joseph Sutton <jsutton at samba.org>
> Sent: Thursday, August 17, 2023 7:26 PM
> To: cifs-protocol at lists.samba.org; Interoperability Documentation Help 
> <dochelp at microsoft.com>
> Subject: [EXTERNAL] [MS-KILE] Certificate strings
>
> [Some people who received this message don't often get email from 
> jsutton at samba.org. Learn why this is important at 
> https://aka.ms/LearnAboutSenderIdentification ]
>
> Hi dochelp,
>
> [MS-KILE] 3.3.5.6.4.6, “PAC_CLIENT_CLAIMS_INFO Structure”, mentions that the KDC should call GetClaimsForPrincipal() to get the claims blob with which to populate the PAC_CLIENT_CLAIMS_INFO structure. One of the parameters to GetClaimsForPrincipal(), namely “pCertificateStringsArray”, comprises “[a] set of Unicode strings”, but nothing is said as to how these strings are to be derived from the client’s certificate.
>
> Can you outline the procedure by which these strings are formed, and perhaps provide an example of such a string?
>
> Regards,
> Joseph
>

More information about the cifs-protocol mailing list