[cifs-protocol] [EXTERNAL] [MS-KILE] Authentication Policies and RODCs - TrackingID#2310190040000616

Jeff McCashland (He/him) jeffm at microsoft.com
Mon Oct 30 22:36:29 UTC 2023 

Hi Joseph,

I was able to debug the time travel trace, and determined the cause of failure. It appears that an RODC PAC cannot be used for an access check. 

Best regards,
Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Protocol Open Specifications Team
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada)
Local country phone number found here: http://support.microsoft.com/globalenglish | Extension 1138300

-----Original Message-----
From: Jeff McCashland (He/him) 
Sent: Tuesday, October 24, 2023 9:56 AM
To: Joseph Sutton <jsutton at samba.org>; cifs-protocol at lists.samba.org
Cc: Microsoft Support <supportmail at microsoft.com>
Subject: RE: [EXTERNAL] [MS-KILE] Authentication Policies and RODCs - TrackingID#2310190040000616

Hi Joseph,

Thank you for uploading the traces. I will analyze them and get back to you. 

Best regards,
Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Protocol Open Specifications Team
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada) Local country phone number found here: http://support.microsoft.com/globalenglish | Extension 1138300

-----Original Message-----
From: Joseph Sutton <jsutton at samba.org>
Sent: Monday, October 23, 2023 5:49 PM
To: Jeff McCashland (He/him) <jeffm at microsoft.com>; cifs-protocol at lists.samba.org
Cc: Microsoft Support <supportmail at microsoft.com>
Subject: Re: [EXTERNAL] [MS-KILE] Authentication Policies and RODCs - TrackingID#2310190040000616

Hi,

I’ve uploaded a trace of a Kerberos TGS exchange with a TGT issued by an RODC krbtgt and with an authentication policy enforced. In response to the TGS-REQ I expect to get a TGS-REP, but, as the trace shows, I get a KDC_ERR_POLICY error instead.

Regards,
Joseph

On 20/10/23 11:50 am, Jeff McCashland (He/him) wrote:
> Hi Joseph,
> 
> To debug this issue, I need to collect an LSASS TTT trace. I have created a file transfer workspace for exchanging files related to this issue (link below).
> 
> The LSASS traces can be quite large, but are highly compressible, so please add them to a .zip archive before uploading (file transfer workspace credentials are below). Please log into the workspace and find PartnerTTDRecorder_x86_x64.zip available for download. The x64 tool can be staged onto the Windows server in any location (instructions below assume C:\TTD).
> 
> To collect the needed traces:
> 	1. From a PowerShell prompt, execute:
> 		C:\TTD\tttracer.exe -Attach ([int](Get-Process -NAME lsass | Format-Wide -Property ID).formatEntryInfo.formatPropertyField.propertyValue)
> 	2. Wait for a little window to pop up in top left corner of your screen, titled “lsass01.run”
> 	3. start a network trace using netsh or WireShark, etc.
> 	4. Repro the attempted operation
> 	5. Stop the network trace and save it
> 	6. CAREFULLY: uncheck the checkbox next to “Tracing” in the small “lsass01.run” window. Do not close or exit the small window or you will need to reboot.
> 	7. The TTTracer.exe process will generate a trace file, then print out the name and location of the file.
> Compress the *.run file into a .zip archive before uploading with the matching network trace. It is a good idea to reboot the machine at the next opportunity to restart the lsass process.
> 
> Workspace credentials:
> Log in as 2310190040000616_joseph at dtmxfer.onmicrosoft.com
> 1-Time: 9dx_7ndz
> 
> Workspace link: 
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupp
> ort.microsoft.com%2Ffiles%3Fworkspace%3DeyJ0eXAiOiJKV1QiLCJhbGciOiJSUz
> I1NiJ9.eyJ3c2lkIjoiNWQ2YjE2MzgtYzU5Ni00N2ZhLTkxNDQtN2QzMzMzNmJmNTlhIiw
> ic3IiOiIyMzEwMTkwMDQwMDAwNjE2IiwiYXBwaWQiOiI0ZTc2ODkxZC04NDUwLTRlNWUtY
> mUzOC1lYTNiZDZlZjIxZTUiLCJzdiI6InYxIiwicnMiOiJFeHRlcm5hbCIsInd0aWQiOiJ
> mNDdhMTY0ZS1jYjFiLTQ2MGQtYjczZS03YWZmZDEwY2Q0YTAiLCJpc3MiOiJodHRwczovL
> 2FwaS5kdG1uZWJ1bGEubWljcm9zb2Z0LmNvbSIsImF1ZCI6Imh0dHA6Ly9zbWMiLCJleHA
> iOjE3MDU1MzEzMzIsIm5iZiI6MTY5Nzc1NTMzMn0.U82nOV5WR7AK7pNvLhlCsTkcMPfZV
> 9NouoJlJQYbNJeQQ3w5XBrCsAxLolvtXVt85zVs6YDkmF4gN2NxH2GW4DP46UsENY1-Qg4
> RQ3omGdfy4aqTOprhdzBdDegmq0IDCnz_dB862F_fzkiMtyuMoACCPGFpnufedw5X4a8IV
> SfdST9enEREWlH1TQHE7KsWKgvJ7aPydEdYoOUDatQ1annMYfhbGttsrXXZfbsSlc1-l5j
> hGPs9RtGqpgzycy3m9VftAbGjpz4em-_nFAADznArzn4dnIitRjH2zulc-fQRCraq6cgwK
> J6BJrxh9BE_4Qq7xjXP4EsSMcB40wE8Kg%26wid%3D5d6b1638-c596-47fa-9144-7d33
> 336bf59a&data=05%7C01%7Cjeffm%40microsoft.com%7Cd2df6639c0f2400841be08
> dbd42b0baf%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C63833705359329
> 2016%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBT
> iI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=HP0vNpnaAV3ThmBh%2FoKY
> aZ3ae5ZwfG1weaghACVYfZQ%3D&reserved=0
> 
> Best regards,
> Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft 
> Protocol Open Specifications Team
> Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: 
> (UTC-08:00) Pacific Time (US and Canada) Local country phone number 
> found here:
> https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsuppo
> rt.microsoft.com%2Fglobalenglish&data=05%7C01%7Cjeffm%40microsoft.com%
> 7Cd2df6639c0f2400841be08dbd42b0baf%7C72f988bf86f141af91ab2d7cd011db47%
> 7C1%7C0%7C638337053593302820%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwM
> DAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdat
> a=klokoLuopKUqNnv7a4km5xKm3HvBVccLEHIWkByzKlo%3D&reserved=0 | 
> Extension 1138300
> 
> -----Original Message-----
> From: Jeff McCashland (He/him)
> Sent: Thursday, October 19, 2023 10:01 AM
> To: Joseph Sutton <jsutton at samba.org>; cifs-protocol at lists.samba.org
> Cc: Microsoft Support <supportmail at microsoft.com>
> Subject: RE: [EXTERNAL] [MS-KILE] Authentication Policies and RODCs -
> TrackingID#2310190040000616
> 
> Hi Joseph,
> 
> I will research your issue and get back to you.
> 
> Best regards,
> Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft 
> Protocol Open Specifications Team
> Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: 
> (UTC-08:00) Pacific Time (US and Canada) Local country phone number 
> found here:
> https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsuppo
> rt.microsoft.com%2Fglobalenglish&data=05%7C01%7Cjeffm%40microsoft.com%
> 7Cd2df6639c0f2400841be08dbd42b0baf%7C72f988bf86f141af91ab2d7cd011db47%
> 7C1%7C0%7C638337053593308176%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwM
> DAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdat
> a=co7GonF9LAU7bMkiJsT4roGw1FtCCbGIrgrgsqWCnBs%3D&reserved=0 | 
> Extension 1138300
> 
> -----Original Message-----
> From: Jeff McCashland (He/him)
> Sent: Wednesday, October 18, 2023 6:52 PM
> To: Joseph Sutton <jsutton at samba.org>; cifs-protocol at lists.samba.org
> Cc: Microsoft Support <supportmail at microsoft.com>
> Subject: RE: [EXTERNAL] [MS-KILE] Authentication Policies and RODCs -
> TrackingID#2310190040000616
> 
> [DocHelp to BCC, support on CC, SR ID on Subject]
> 
> Hi Joseph,
> 
> Thank you for your email. We have created SR 2310190040000616 to track this issue. One of our engineers will respond soon.
> 
> Best regards,
> Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft 
> Protocol Open Specifications Team
> Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: 
> (UTC-08:00) Pacific Time (US and Canada) Local country phone number 
> found here:
> https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsuppo
> rt.microsoft.com%2Fglobalenglish&data=05%7C01%7Cjeffm%40microsoft.com%
> 7Cd2df6639c0f2400841be08dbd42b0baf%7C72f988bf86f141af91ab2d7cd011db47%
> 7C1%7C0%7C638337053593312064%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwM
> DAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdat
> a=DLIBS5nA9hhCc9Hf21UgymI2%2FwQoFRadqEBz54UYQwc%3D&reserved=0 | 
> Extension 1138300
> 
> -----Original Message-----
> From: Joseph Sutton <jsutton at samba.org>
> Sent: Wednesday, October 18, 2023 6:44 PM
> To: cifs-protocol at lists.samba.org; Interoperability Documentation Help 
> <dochelp at microsoft.com>
> Subject: [EXTERNAL] [MS-KILE] Authentication Policies and RODCs
> 
> [Some people who received this message don't often get email from 
> jsutton at samba.org. Learn why this is important at 
> https://aka.ms/LearnAboutSenderIdentification ]
> 
> Hi dochelp,
> 
> [MS-KILE] 3.3.5.7, “TGS Exchange”, states that if during a TGS Exchange an Authentication Policy with ‘AllowedToAuthenticateTo’ is in effect, the user and device PACs must be used to perform an access check: if the access check succeeds, a service ticket is issued to the client; if it fails, the KDC returns KDC_ERR_POLICY.
> 
> However, I have found that Windows Server 2019, acting as a RWDC,
> *always* returns KDC_ERR_POLICY if the client’s TGT presented to the KDC has been issued by an RODC.
> 
> If no ‘AllowedToAuthenticateTo’ policy is enforced, or the client’s TGT has been issued by a RWDC, the TGS‐REQ exchange is successful.
> 
> As far as I can tell, this behaviour — disallowing the combination of authentication policies and RODC‐issued tickets — is not documented anywhere. Is matching this behaviour important for the correct and secure operation of MS-KILE implementations? and if so, can it be clearly documented in [MS-KILE]?
> 
> Regards,
> Joseph

More information about the cifs-protocol mailing list