[cifs-protocol] [EXTERNAL] [MS-KILE] Authentication Policies and RODCs - TrackingID#2310190040000616

Jeff McCashland (He/him) jeffm at microsoft.com
Thu Oct 19 17:01:02 UTC 2023 

Hi Joseph,

I will research your issue and get back to you. 

Best regards,
Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Protocol Open Specifications Team
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada)
Local country phone number found here: http://support.microsoft.com/globalenglish | Extension 1138300

-----Original Message-----
From: Jeff McCashland (He/him) 
Sent: Wednesday, October 18, 2023 6:52 PM
To: Joseph Sutton <jsutton at samba.org>; cifs-protocol at lists.samba.org
Cc: Microsoft Support <supportmail at microsoft.com>
Subject: RE: [EXTERNAL] [MS-KILE] Authentication Policies and RODCs - TrackingID#2310190040000616

[DocHelp to BCC, support on CC, SR ID on Subject]

Hi Joseph,

Thank you for your email. We have created SR 2310190040000616 to track this issue. One of our engineers will respond soon. 

Best regards,
Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Protocol Open Specifications Team
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada) Local country phone number found here: http://support.microsoft.com/globalenglish | Extension 1138300

-----Original Message-----
From: Joseph Sutton <jsutton at samba.org>
Sent: Wednesday, October 18, 2023 6:44 PM
To: cifs-protocol at lists.samba.org; Interoperability Documentation Help <dochelp at microsoft.com>
Subject: [EXTERNAL] [MS-KILE] Authentication Policies and RODCs

[Some people who received this message don't often get email from jsutton at samba.org. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]

Hi dochelp,

[MS-KILE] 3.3.5.7, “TGS Exchange”, states that if during a TGS Exchange an Authentication Policy with ‘AllowedToAuthenticateTo’ is in effect, the user and device PACs must be used to perform an access check: if the access check succeeds, a service ticket is issued to the client; if it fails, the KDC returns KDC_ERR_POLICY.

However, I have found that Windows Server 2019, acting as a RWDC,
*always* returns KDC_ERR_POLICY if the client’s TGT presented to the KDC has been issued by an RODC.

If no ‘AllowedToAuthenticateTo’ policy is enforced, or the client’s TGT has been issued by a RWDC, the TGS‐REQ exchange is successful.

As far as I can tell, this behaviour — disallowing the combination of authentication policies and RODC‐issued tickets — is not documented anywhere. Is matching this behaviour important for the correct and secure operation of MS-KILE implementations? and if so, can it be clearly documented in [MS-KILE]?

Regards,
Joseph

More information about the cifs-protocol mailing list