[cifs-protocol] [MS-KILE] Authentication Policies and RODCs
Joseph Sutton
jsutton at samba.org
Thu Oct 19 01:43:34 UTC 2023
Hi dochelp,
[MS-KILE] 3.3.5.7, “TGS Exchange”, states that if during a TGS Exchange
an Authentication Policy with ‘AllowedToAuthenticateTo’ is in effect,
the user and device PACs must be used to perform an access check: if the
access check succeeds, a service ticket is issued to the client; if it
fails, the KDC returns KDC_ERR_POLICY.
However, I have found that Windows Server 2019, acting as a RWDC,
*always* returns KDC_ERR_POLICY if the client’s TGT presented to the KDC
has been issued by an RODC.
If no ‘AllowedToAuthenticateTo’ policy is enforced, or the client’s TGT
has been issued by a RWDC, the TGS‐REQ exchange is successful.
As far as I can tell, this behaviour — disallowing the combination of
authentication policies and RODC‐issued tickets — is not documented
anywhere. Is matching this behaviour important for the correct and
secure operation of MS-KILE implementations? and if so, can it be
clearly documented in [MS-KILE]?
Regards,
Joseph
More information about the cifs-protocol
mailing list