[cifs-protocol] [EXTERNAL] [MS-KILE] Authentication Policies and RODCs - TrackingID#2310190040000616

Fri Dec 8 23:10:14 UTC 2023

Hi Joseph,

We have updated [MS-KILE] for the next release to address this issue: 

3.3.5.7	TGS Exchange
[...]
If domainControllerFunctionality returns a value >= 6 ([MS-ADTS] section 3.1.1.3.2.25) and the account is not also the application service account, the KDC MUST determine whether an Authentication Policy is applied to the server or service (section 3.3.5.5); if Enforced is TRUE then:<67>
§	If AllowedToAuthenticateTo is not NULL, the PAC of the user and the PAC of the armor TGT MUST be used to perform an access check for the ACTRL_DS_CONTROL_ACCESS right against the AllowedToAuthenticateTo. If the access check fails, the KDC MUST return KDC_ERR_POLICY.
[added:]
§	If the TGT is issued by a read-only Domain Controller (RODC) (section 3.3.5.7.7), the KDC MUST reject the request and return KDC_ERR_POLICY. Clients SHOULD send an AS-REQ to a full DC with PA-PAC-OPTIONS [167] (section 2.2.10) padata type with the Branch Aware bit set to the TGS REQ (section 3.2.5.7).

Best regards,
Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Protocol Open Specifications Team
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada)
Local country phone number found here: http://support.microsoft.com/globalenglish | Extension 1138300

-----Original Message-----
From: Jeff McCashland (He/him) 
Sent: Wednesday, November 1, 2023 1:28 PM
To: Joseph Sutton <jsutton at samba.org>; cifs-protocol at lists.samba.org
Subject: RE: [EXTERNAL] [MS-KILE] Authentication Policies and RODCs - TrackingID#2310190040000616

[-support]

Hi Joseph,

In regards to your question on whether the behavior is important for implementation: 

It is important that the RODC PAC is not used to evaluate policy, that may be dangerous and must not happen. 

Your options are to:
1. Fail the request as we do
2. Generate a PAC locally for the incoming RODC and evaluate policy against that

Best regards,
Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Protocol Open Specifications Team
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada) Local country phone number found here: http://support.microsoft.com/globalenglish | Extension 1138300

-----Original Message-----
From: Joseph Sutton <jsutton at samba.org>
Sent: Monday, October 30, 2023 3:43 PM
To: Jeff McCashland (He/him) <jeffm at microsoft.com>; cifs-protocol at lists.samba.org
Cc: Microsoft Support <supportmail at microsoft.com>
Subject: Re: [EXTERNAL] [MS-KILE] Authentication Policies and RODCs - TrackingID#2310190040000616

Thank you, that’s what I was looking to know.

Regards,
Joseph

On 31/10/23 11:36 am, Jeff McCashland (He/him) wrote:
> Hi Joseph,
> 
> I was able to debug the time travel trace, and determined the cause of failure. It appears that an RODC PAC cannot be used for an access check.
> 
> Best regards,
> Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft 
> Protocol Open Specifications Team
> Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: 
> (UTC-08:00) Pacific Time (US and Canada) Local country phone number 
> found here:
> https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsuppo
> rt.microsoft.com%2Fglobalenglish&data=05%7C01%7Cjeffm%40microsoft.com%
> 7C3f7b5a2b54034d7cb22d08dbd999a5bd%7C72f988bf86f141af91ab2d7cd011db47%
> 7C1%7C0%7C638343026185515950%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwM
> DAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdat
> a=W65vZYq%2FNLQ30ZjDBbpVwj3N9EX%2BWpplyn9whjEITLY%3D&reserved=0 | 
> Extension 1138300
> 
> -----Original Message-----
> From: Jeff McCashland (He/him)
> Sent: Tuesday, October 24, 2023 9:56 AM
> To: Joseph Sutton <jsutton at samba.org>; cifs-protocol at lists.samba.org
> Cc: Microsoft Support <supportmail at microsoft.com>
> Subject: RE: [EXTERNAL] [MS-KILE] Authentication Policies and RODCs -
> TrackingID#2310190040000616
> 
> Hi Joseph,
> 
> Thank you for uploading the traces. I will analyze them and get back to you.
> 
> Best regards,
> Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft 
> Protocol Open Specifications Team
> Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: 
> (UTC-08:00) Pacific Time (US and Canada) Local country phone number 
> found here:
> https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsuppo
> rt.microsoft.com%2Fglobalenglish&data=05%7C01%7Cjeffm%40microsoft.com%
> 7C3f7b5a2b54034d7cb22d08dbd999a5bd%7C72f988bf86f141af91ab2d7cd011db47%
> 7C1%7C0%7C638343026185523109%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwM
> DAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdat
> a=qKYvLwvv4j7oBZcXdqn6X6oMo7Qq1RdnuaFerkKI6a4%3D&reserved=0 | 
> Extension 1138300
> 
> -----Original Message-----
> From: Joseph Sutton <jsutton at samba.org>
> Sent: Monday, October 23, 2023 5:49 PM
> To: Jeff McCashland (He/him) <jeffm at microsoft.com>; 
> cifs-protocol at lists.samba.org
> Cc: Microsoft Support <supportmail at microsoft.com>
> Subject: Re: [EXTERNAL] [MS-KILE] Authentication Policies and RODCs -
> TrackingID#2310190040000616
> 
> Hi,
> 
> I’ve uploaded a trace of a Kerberos TGS exchange with a TGT issued by an RODC krbtgt and with an authentication policy enforced. In response to the TGS-REQ I expect to get a TGS-REP, but, as the trace shows, I get a KDC_ERR_POLICY error instead.
> 
> Regards,
> Joseph
> 
> On 20/10/23 11:50 am, Jeff McCashland (He/him) wrote:
>> Hi Joseph,
>>
>> To debug this issue, I need to collect an LSASS TTT trace. I have created a file transfer workspace for exchanging files related to this issue (link below).
>>
>> The LSASS traces can be quite large, but are highly compressible, so please add them to a .zip archive before uploading (file transfer workspace credentials are below). Please log into the workspace and find PartnerTTDRecorder_x86_x64.zip available for download. The x64 tool can be staged onto the Windows server in any location (instructions below assume C:\TTD).
>>
>> To collect the needed traces:
>> 	1. From a PowerShell prompt, execute:
>> 		C:\TTD\tttracer.exe -Attach ([int](Get-Process -NAME lsass | Format-Wide -Property ID).formatEntryInfo.formatPropertyField.propertyValue)
>> 	2. Wait for a little window to pop up in top left corner of your screen, titled “lsass01.run”
>> 	3. start a network trace using netsh or WireShark, etc.
>> 	4. Repro the attempted operation
>> 	5. Stop the network trace and save it
>> 	6. CAREFULLY: uncheck the checkbox next to “Tracing” in the small “lsass01.run” window. Do not close or exit the small window or you will need to reboot.
>> 	7. The TTTracer.exe process will generate a trace file, then print out the name and location of the file.
>> Compress the *.run file into a .zip archive before uploading with the matching network trace. It is a good idea to reboot the machine at the next opportunity to restart the lsass process.
>>
>> Workspace credentials:
>> Log in as 2310190040000616_joseph at dtmxfer.onmicrosoft.com
>> 1-Time: 9dx_7ndz
>>
>> Workspace link:
>> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsup
>> p%2F&data=05%7C01%7Cjeffm%40microsoft.com%7C3f7b5a2b54034d7cb22d08dbd
>> 999a5bd%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C6383430261855283
>> 07%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTi
>> I6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Y8cpxgtPQ1EHKpg4nV9eeL
>> p9IBnkR98Pb23Wd1ps4Q4%3D&reserved=0
>> ort.microsoft.com%2Ffiles%3Fworkspace%3DeyJ0eXAiOiJKV1QiLCJhbGciOiJSU
>> z
>> I1NiJ9.eyJ3c2lkIjoiNWQ2YjE2MzgtYzU5Ni00N2ZhLTkxNDQtN2QzMzMzNmJmNTlhIi
>> w
>> ic3IiOiIyMzEwMTkwMDQwMDAwNjE2IiwiYXBwaWQiOiI0ZTc2ODkxZC04NDUwLTRlNWUt
>> Y
>> mUzOC1lYTNiZDZlZjIxZTUiLCJzdiI6InYxIiwicnMiOiJFeHRlcm5hbCIsInd0aWQiOi
>> J
>> mNDdhMTY0ZS1jYjFiLTQ2MGQtYjczZS03YWZmZDEwY2Q0YTAiLCJpc3MiOiJodHRwczov
>> L
>> 2FwaS5kdG1uZWJ1bGEubWljcm9zb2Z0LmNvbSIsImF1ZCI6Imh0dHA6Ly9zbWMiLCJleH
>> A
>> iOjE3MDU1MzEzMzIsIm5iZiI6MTY5Nzc1NTMzMn0.U82nOV5WR7AK7pNvLhlCsTkcMPfZ
>> V
>> 9NouoJlJQYbNJeQQ3w5XBrCsAxLolvtXVt85zVs6YDkmF4gN2NxH2GW4DP46UsENY1-Qg
>> 4
>> RQ3omGdfy4aqTOprhdzBdDegmq0IDCnz_dB862F_fzkiMtyuMoACCPGFpnufedw5X4a8I
>> V
>> SfdST9enEREWlH1TQHE7KsWKgvJ7aPydEdYoOUDatQ1annMYfhbGttsrXXZfbsSlc1-l5
>> j
>> hGPs9RtGqpgzycy3m9VftAbGjpz4em-_nFAADznArzn4dnIitRjH2zulc-fQRCraq6cgw
>> K
>> J6BJrxh9BE_4Qq7xjXP4EsSMcB40wE8Kg%26wid%3D5d6b1638-c596-47fa-9144-7d3
>> 3
>> 336bf59a&data=05%7C01%7Cjeffm%40microsoft.com%7Cd2df6639c0f2400841be0
>> 8
>> dbd42b0baf%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C6383370535932
>> 9
>> 2016%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJB
>> T
>> iI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=HP0vNpnaAV3ThmBh%2FoK
>> Y
>> aZ3ae5ZwfG1weaghACVYfZQ%3D&reserved=0
>>
>> Best regards,
>> Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft 
>> Protocol Open Specifications Team
>> Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone:
>> (UTC-08:00) Pacific Time (US and Canada) Local country phone number 
>> found here:
>> https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsupp
>> o%2F&data=05%7C01%7Cjeffm%40microsoft.com%7C3f7b5a2b54034d7cb22d08dbd
>> 999a5bd%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C6383430261855321
>> 67%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTi
>> I6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=EfTIGsB00OBJwWsBuOGgGa
>> d%2BrUKKvB%2BgZyk9sU5KmS0%3D&reserved=0
>> rt.microsoft.com%2Fglobalenglish&data=05%7C01%7Cjeffm%40microsoft.com
>> %
>> 7Cd2df6639c0f2400841be08dbd42b0baf%7C72f988bf86f141af91ab2d7cd011db47
>> %
>> 7C1%7C0%7C638337053593302820%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAw
>> M
>> DAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sda
>> t
>> a=klokoLuopKUqNnv7a4km5xKm3HvBVccLEHIWkByzKlo%3D&reserved=0 | 
>> Extension 1138300
>>
>> -----Original Message-----
>> From: Jeff McCashland (He/him)
>> Sent: Thursday, October 19, 2023 10:01 AM
>> To: Joseph Sutton <jsutton at samba.org>; cifs-protocol at lists.samba.org
>> Cc: Microsoft Support <supportmail at microsoft.com>
>> Subject: RE: [EXTERNAL] [MS-KILE] Authentication Policies and RODCs -
>> TrackingID#2310190040000616
>>
>> Hi Joseph,
>>
>> I will research your issue and get back to you.
>>
>> Best regards,
>> Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft 
>> Protocol Open Specifications Team
>> Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone:
>> (UTC-08:00) Pacific Time (US and Canada) Local country phone number 
>> found here:
>> https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsupp
>> o%2F&data=05%7C01%7Cjeffm%40microsoft.com%7C3f7b5a2b54034d7cb22d08dbd
>> 999a5bd%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C6383430261855359
>> 29%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTi
>> I6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=s4CKP2QCLwsMv5AaneONyM
>> BjuNtvUtx2JSgmfjjHdcw%3D&reserved=0
>> rt.microsoft.com%2Fglobalenglish&data=05%7C01%7Cjeffm%40microsoft.com
>> %
>> 7Cd2df6639c0f2400841be08dbd42b0baf%7C72f988bf86f141af91ab2d7cd011db47
>> %
>> 7C1%7C0%7C638337053593308176%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAw
>> M
>> DAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sda
>> t
>> a=co7GonF9LAU7bMkiJsT4roGw1FtCCbGIrgrgsqWCnBs%3D&reserved=0 | 
>> Extension 1138300
>>
>> -----Original Message-----
>> From: Jeff McCashland (He/him)
>> Sent: Wednesday, October 18, 2023 6:52 PM
>> To: Joseph Sutton <jsutton at samba.org>; cifs-protocol at lists.samba.org
>> Cc: Microsoft Support <supportmail at microsoft.com>
>> Subject: RE: [EXTERNAL] [MS-KILE] Authentication Policies and RODCs -
>> TrackingID#2310190040000616
>>
>> [DocHelp to BCC, support on CC, SR ID on Subject]
>>
>> Hi Joseph,
>>
>> Thank you for your email. We have created SR 2310190040000616 to track this issue. One of our engineers will respond soon.
>>
>> Best regards,
>> Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft 
>> Protocol Open Specifications Team
>> Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone:
>> (UTC-08:00) Pacific Time (US and Canada) Local country phone number 
>> found here:
>> https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsupp
>> o%2F&data=05%7C01%7Cjeffm%40microsoft.com%7C3f7b5a2b54034d7cb22d08dbd
>> 999a5bd%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C6383430261855396
>> 63%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTi
>> I6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=yP%2F2sPvROp50xSP43Ahj
>> G%2BcJyxZ2k3QE0kgYNMVKqGY%3D&reserved=0
>> rt.microsoft.com%2Fglobalenglish&data=05%7C01%7Cjeffm%40microsoft.com
>> %
>> 7Cd2df6639c0f2400841be08dbd42b0baf%7C72f988bf86f141af91ab2d7cd011db47
>> %
>> 7C1%7C0%7C638337053593312064%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAw
>> M
>> DAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sda
>> t
>> a=DLIBS5nA9hhCc9Hf21UgymI2%2FwQoFRadqEBz54UYQwc%3D&reserved=0 | 
>> Extension 1138300
>>
>> -----Original Message-----
>> From: Joseph Sutton <jsutton at samba.org>
>> Sent: Wednesday, October 18, 2023 6:44 PM
>> To: cifs-protocol at lists.samba.org; Interoperability Documentation 
>> Help <dochelp at microsoft.com>
>> Subject: [EXTERNAL] [MS-KILE] Authentication Policies and RODCs
>>
>> [Some people who received this message don't often get email from 
>> jsutton at samba.org. Learn why this is important at 
>> https://aka.ms/LearnAboutSenderIdentification ]
>>
>> Hi dochelp,
>>
>> [MS-KILE] 3.3.5.7, “TGS Exchange”, states that if during a TGS Exchange an Authentication Policy with ‘AllowedToAuthenticateTo’ is in effect, the user and device PACs must be used to perform an access check: if the access check succeeds, a service ticket is issued to the client; if it fails, the KDC returns KDC_ERR_POLICY.
>>
>> However, I have found that Windows Server 2019, acting as a RWDC,
>> *always* returns KDC_ERR_POLICY if the client’s TGT presented to the KDC has been issued by an RODC.
>>
>> If no ‘AllowedToAuthenticateTo’ policy is enforced, or the client’s TGT has been issued by a RWDC, the TGS‐REQ exchange is successful.
>>
>> As far as I can tell, this behaviour — disallowing the combination of authentication policies and RODC‐issued tickets — is not documented anywhere. Is matching this behaviour important for the correct and secure operation of MS-KILE implementations? and if so, can it be clearly documented in [MS-KILE]?
>>
>> Regards,
>> Joseph