[cifs-protocol] [EXTERNAL] Re: [MS-KILE] Certificate strings - but nothing is said as to how these strings are to be derived from the client’s certificate - TrackingID#2308180010001826
Andrew Bartlett
abartlet at samba.org
Tue Sep 26 22:04:11 UTC 2023
Thanks. Can you expand on> Note No semantics are to be attached to
these values other than those specified in section 3.
In particular, how are the values in this enum used in Active
Directory, in particular is there any use in conditional ACEs? Section
3 isn't a clear enough reference sorry!
Thanks,
Andrew Bartlett
On Fri, 2023-09-22 at 22:17 +0000, Jeff McCashland (He/him) via cifs-
protocol wrote:
> Hi Joseph,
> Here is further information: The string in pCertificateStringsArray
> represents a certificate based claim source. We could have 2 types
> of claim source, AD based source or certificate based source.
> Claims source type is defined here: [MS-ADTS] 2.2.18.3
> CLAIMS_SOURCE_TYPEThe CLAIMS_SOURCE_TYPE enumeration specifies the
> source of the claims. typedef enum _CLAIMS_SOURCE_TYPE { CLA
> IMS_SOURCE_TYPE_AD = 1, CLAIMS_SOURCE_TYPE_CERTIFICATE }
> CLAIMS_SOURCE_TYPE;Note No semantics are to be attached to these
> values other than those specified in section 3.
> That last note indicates that the format is left undefined other than
> as a string blob, intended to be implementation-specific.
> Please let me know if this does not answer your question.
> Best regards,Jeff McCashland (He/him) | Senior Escalation Engineer |
> Microsoft Protocol Open Specifications TeamPhone: +1 (425) 703-8300
> x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and
> Canada)Local country phone number found here:
> http://support.microsoft.com/globalenglish | Extension 1138300
> -----Original Message-----From: Jeff McCashland (He/him) Sent:
> Tuesday, September 19, 2023 10:15 AMTo: Joseph Sutton <
> jsutton at samba.org>; cifs-protocol at lists.samba.org
> Cc: Microsoft Support <supportmail at microsoft.com>Subject: RE:
> [EXTERNAL] Re: [MS-KILE] Certificate strings - but nothing is said as
> to how these strings are to be derived from the client’s certificate
> - TrackingID#2308180010001826
> Hi Joseph,
> What I've been able to determine so far is that
> pCertificateStringsArray is a set of OIDs of msDS-ClaimSource
> attribute. Hopefully this helps.
> I'll let you know if I discover more information.
> Best regards,Jeff McCashland (He/him) | Senior Escalation Engineer |
> Microsoft Protocol Open Specifications TeamPhone: +1 (425) 703-8300
> x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and
> Canada) Local country phone number found here:
> http://support.microsoft.com/globalenglish | Extension 1138300
> -----Original Message-----From: Jeff McCashland (He/him)Sent:
> Wednesday, August 23, 2023 3:52 PMTo: Joseph Sutton <
> jsutton at samba.org>; cifs-protocol at lists.samba.org
> Cc: Microsoft Support <supportmail at microsoft.com>Subject: RE:
> [EXTERNAL] Re: [MS-KILE] Certificate strings - but nothing is said as
> to how these strings are to be derived from the client’s certificate
> - TrackingID#2308180010001826
> Hi Joseph,
> Thank you for your fast response. I will analyze the traces and let
> you know what I find.
> Best regards,Jeff McCashland (He/him) | Senior Escalation Engineer |
> Microsoft Protocol Open Specifications TeamPhone: +1 (425) 703-8300
> x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and
> Canada) Local country phone number found here:
> http://support.microsoft.com/globalenglish | Extension 1138300
> -----Original Message-----From: Joseph Sutton <jsutton at samba.org>Sent
> : Wednesday, August 23, 2023 3:44 PMTo: Jeff McCashland (He/him) <
> jeffm at microsoft.com>; cifs-protocol at lists.samba.org
> Cc: Microsoft Support <supportmail at microsoft.com>Subject: Re:
> [EXTERNAL] Re: [MS-KILE] Certificate strings - but nothing is said as
> to how these strings are to be derived from the client’s certificate
> - TrackingID#2308180010001826
> [You don't often get email from jsutton at samba.org. Learn why this is
> important at https://aka.ms/LearnAboutSenderIdentification ]
> Hi,
> I have uploaded a TTD trace and a network trace. The PKINIT AS-REQ
> I’m interested in should be the final AS-REQ that appears in the
> network trace.
> Regards,Joseph
> On 24/08/23 8:53 am, Jeff McCashland (He/him) wrote:
> > Hi Joseph,
> > That configuration is quite complex in Windows. I think it would be
> > best to collect a TTT trace from your attempted repro. This will
> > allow me to debug into where the PAC is being populated so I can
> > determine what is needed in the Unicode string array. Please
> > collect and upload an LSASS TTT trace and concurrent network trace
> > from your Windows Server where the AS Req is processed.
> > The LSASS traces can be quite large, but are highly compressible,
> > so please add them to a .zip archive before uploading (file
> > transfer workspace credentials are below). Please log into the
> > workspace and find PartnerTTDRecorder_x86_x64.zip available for
> > download. The x64 tool can be staged onto the Windows server in any
> > location (instructions below assume C:\TTD).
> > To collect the needed traces: 1. From an elevated command
> > prompt, run "tasklist /FI "IMAGENAME eq lsass.exe" and note the PID
> > number 2. Run the command (using the PID from step 1):
> > "C:\TTD\TTTracer.exe -attach [PID]" 3. From a PowerShell
> > prompt, execute: C:\TTD\tttracer.exe -Attach
> > ([int](Get-Process -NAME lsass | Format-Wide -Property
> > ID).formatEntryInfo.formatPropertyField.propertyValue) 4. Wait
> > for a little window to pop up in top left corner of your screen,
> > titled “lsass01.run” 5. start a network trace using netsh or
> > WireShark, etc. 6. Repro the attempted operation 7. Stop
> > the network trace and save it 8. CAREFULLY: uncheck the
> > checkbox next to “Tracing” in the small “lsass01.run” window. Do
> > not close or exit the small window or you will need to
> > reboot. 9. The TTTracer.exe process will generate a trace
> > file, then print out the name and location of the file.Compress the
> > *.run file into a .zip archive before uploading with the matching
> > network trace. It is a good idea to reboot the machine at the next
> > opportunity to restart the lsass process.
> > Workspace information:Log in as:
> > 2308180010001826_joseph at dtmxfer.onmicrosoft.com
> > 1-time: xU1GQ+f1
> > Workspace link:
> > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupp
> > ort.microsoft.com%2Ffiles%3Fworkspace%3DeyJ0eXAiOiJKV1QiLCJhbGciOiJ
> > SUzI1NiJ9.eyJ3c2lkIjoiOWY3ZDY3ODMtNjBhOC00OGE0LTk3MTctNDUzYzY2ZDQxY
> > TJiIiwic3IiOiIyMzA4MTgwMDEwMDAxODI2IiwiYXBwaWQiOiI0ZTc2ODkxZC04NDUw
> > LTRlNWUtYmUzOC1lYTNiZDZlZjIxZTUiLCJzdiI6InYxIiwicnMiOiJFeHRlcm5hbCI
> > sInd0aWQiOiIxODMyMDRlMi04ZjJkLTRjZTQtOTY0Zi1hYzIyMzVlOThjNzEiLCJpc3
> > MiOiJodHRwczovL2FwaS5kdG1uZWJ1bGEubWljcm9zb2Z0LmNvbSIsImF1ZCI6Imh0d
> > HA6Ly9zbWMiLCJleHAiOjE3MDA1OTkxODcsIm5iZiI6MTY5MjgyMzE4N30.b4P9cxG8
> > t-
> > JSihx9aIIOuDgjJun4S3Jfi_k6POc8VIUHBGMKelPAUligjBRVVTJ5AeRL3BLfKcbWy
> > 43C2gT8oZfH2lchMznB4azBN0Rnum5uDBCtk5p3mtWiDiFTMuezuef5yjqx-
> > qP_WTG5JjBrueN8EFM9LFaHqiwK39KF_ysUGWfuKC4yGn5i_VI9QcRH12zdEifbNG3o
> > HcA0Sdc7ke9Oq0MzHPvTI_jIPRoKmU235ptLHCH9zPznKnri4GigHIDC_-sq-
> > H2czKio2-4CVcRtxIe5MHo8zy7u16lePsMFORGYL9Mv7y4U35QQ-
> > VH6ha6PhgAH9aynO2tmTdCtqg%26wid%3D9f7d6783-60a8-48a4-9717-
> > 453c66d41a2b&data=05%7C01%7Cjeffm%40microsoft.com%7C0b1be9ac901a4ab
> > b3aec08dba42a827f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C6382
> > 84274725448580%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoi
> > V2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=c5XPHY
> > jQ4ShzE5Vffphy9kWkMI2FqECMz125Z9aC8cE%3D&reserved=0
> > Best regards,Jeff McCashland (He/him) | Senior Escalation Engineer
> > | Microsoft Protocol Open Specifications TeamPhone: +1 (425) 703-
> > 8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time
> > (US and Canada) Local country phone number found here:
> > https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsuppo
> > rt.microsoft.com%2Fglobalenglish&data=05%7C01%7Cjeffm%40microsoft.c
> > om%7C0b1be9ac901a4abb3aec08dba42a827f%7C72f988bf86f141af91ab2d7cd01
> > 1db47%7C1%7C0%7C638284274725448580%7CUnknown%7CTWFpbGZsb3d8eyJWIjoi
> > MC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7
> > C%7C%7C&sdata=jAZ7o8ItUpVZZpFiXlHxEtutPG%2FsdCZK2EoCbsVZAUc%3D&rese
> > rved=0 | Extension 1138300
> > -----Original Message-----From: Jeff McCashland (He/him)Sent:
> > Tuesday, August 22, 2023 2:25 PMTo: Joseph Sutton <
> > jsutton at samba.org>; cifs-protocol at lists.samba.org
> > Cc: Microsoft Support <supportmail at microsoft.com>Subject: RE:
> > [EXTERNAL] Re: [MS-KILE] Certificate strings - but nothing is said
> > as to how these strings are to be derived from the client’s
> > certificate - TrackingID#2308180010001826
> > Hi Joseph,
> > Thank you for the information.
> > It appears the certificate strings array needs to contain the msDS-
> > ClaimSource that you mentioned, which may have values such as 'AD',
> > 'Certificate', or 'TransformPolicy'.
> > I will see what more I can find out.
> > Best regards,Jeff McCashland (He/him) | Senior Escalation Engineer
> > | Microsoft Protocol Open Specifications TeamPhone: +1 (425) 703-
> > 8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time
> > (US and Canada) Local country phone number found here:
> > https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsuppo
> > rt.microsoft.com%2Fglobalenglish&data=05%7C01%7Cjeffm%40microsoft.c
> > om%7C0b1be9ac901a4abb3aec08dba42a827f%7C72f988bf86f141af91ab2d7cd01
> > 1db47%7C1%7C0%7C638284274725448580%7CUnknown%7CTWFpbGZsb3d8eyJWIjoi
> > MC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7
> > C%7C%7C&sdata=jAZ7o8ItUpVZZpFiXlHxEtutPG%2FsdCZK2EoCbsVZAUc%3D&rese
> > rved=0 | Extension 1138300
> > -----Original Message-----From: Joseph Sutton <jsutton at samba.org>Se
> > nt: Monday, August 21, 2023 11:30 PMTo: Jeff McCashland (He/him) <
> > jeffm at microsoft.com>; cifs-protocol at lists.samba.org
> > Cc: Microsoft Support <supportmail at microsoft.com>Subject:
> > [EXTERNAL] Re: [MS-KILE] Certificate strings - but nothing is said
> > as to how these strings are to be derived from the client’s
> > certificate - TrackingID#2308180010001826
> > [You don't often get email from jsutton at samba.org. Learn why this
> > is important at https://aka.ms/LearnAboutSenderIdentification ]
> > Hi,
> > I have not managed to have Windows generate these certificate
> > strings myself, but I imagine the procedure looks something like
> > the following.
> > First, create a claim type like so:
> > dn: CN=ExampleClaim,CN=Claim
> > Types,CN=Claims Configuration,CN=Services,CN=Configuration,DC=ex
> > ample,DC=comchangetype: addobjectClass: msDS-ClaimTypeEnabled:
> > TRUEmsDS-ClaimIsSingleValued: TRUEmsDS-ClaimSource: (what value
> > should this have? — see below.)msDS-ClaimSourceType:
> > CertificatemsDS-
> > ClaimTypeAppliesToClass: CN=User,CN=Schema,CN=Configuration,DC=e
> > xample,DC=commsDS-
> > ClaimTypeAppliesToClass: CN=Computer,CN=Schema,CN=Configuration,
> > DC=example,DC=commsDS-ClaimValueType: 6
> > Then, having installed and set up Certificate Services on the
> > Windows server, perform a Kerberos AS-REQ using PKINIT. If the KDC
> > generates the certificate strings as specified in [MS-ADTS], the
> > claim ought now to be in the PAC_CLIENT_CLAIMS_INFO PAC buffer in
> > the TGT. More pertinently (from an end user’s perspective), with
> > the claim in the PAC we should be authorized to access resources
> > requiring possession of said claim.
> > I’ve followed these steps as far as making the Kerberos AS-REQ.
> > The part of all this that I’m quite uncertain about is how to set
> > the attribute “msDS-ClaimSource”. According to the documentation
> > forGetCertificateSourcedClaims() ([MS-ADTS] section 3.1.1.11.2.3),
> > a certificate-sourced claim will be issued only if this attribute
> > matches one of the certificate strings. But, as of yet, I haven’t
> > been able to discover what value this attribute should hold for
> > that to happen, not knowing how the certificate strings are
> > derived. That’s what I’m ultimately trying to find out.
> > Regards,Joseph
> > On 22/08/23 6:23 am, Jeff McCashland (He/him) wrote:
> > > Hi Joseph,
> > > I think I will need to do some debugging to find the answer to
> > > your question. Do you have a use case or scenario that would use
> > > this mechanism? Can you suggest a configuration and repro steps I
> > > can use to generate the exchange?
> > > Best regards,Jeff McCashland (He/him) | Senior Escalation
> > > Engineer | Microsoft Protocol Open Specifications TeamPhone: +1
> > > (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone:(UTC-08:00)
> > > Pacific Time (US and Canada) Local country phone number found
> > > here:
> > > https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsupp
> > > o%2F&data=05%7C01%7Cjeffm%40microsoft.com%7C0b1be9ac901a4abb3aec0
> > > 8dba42a827f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C63828427
> > > 4725448580%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2
> > > luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=r02tET
> > > ufnbF8nvwGQkwPR%2FO1NOlLdYAM1cXgBrnFG58%3D&reserved=0rt.microsoft
> > > .com%2Fglobalenglish&data=05%7C01%7Cjeffm%40microsoft.com%7C5a06b
> > > a8e5597421a203a08dba2d94bcd%7C72f988bf86f141af91ab2d7cd011db47%7C
> > > 1%7C0%7C638282826407736325%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLj
> > > AwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C
> > > %7C&sdata=tVzSZdkLQwee9MFR%2Foz07SNAVeQS%2BWj6r6etmXaLddE%3D&rese
> > > rved=0 | Extension 1138300
> > > -----Original Message-----From: Jeff McCashland (He/him)Sent:
> > > Friday, August 18, 2023 9:52 AMTo: Joseph Sutton <
> > > jsutton at samba.org>; cifs-protocol at lists.samba.org
> > > Cc: Microsoft Support <supportmail at microsoft.com>Subject: RE:
> > > [MS-KILE] Certificate strings - but nothing is said as to how
> > > these strings are to be derived from the client’s certificate-
> > > TrackingID#2308180010001826
> > > [HC to BCC]
> > > Hi Joseph,
> > > I will research your question and let you know what I find.
> > > Best regards,Jeff McCashland (He/him) | Senior Escalation
> > > Engineer | Microsoft Protocol Open Specifications TeamPhone: +1
> > > (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone:(UTC-08:00)
> > > Pacific Time (US and Canada) Local country phone number found
> > > here:
> > > https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsupp
> > > o%2F&data=05%7C01%7Cjeffm%40microsoft.com%7C0b1be9ac901a4abb3aec0
> > > 8dba42a827f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C63828427
> > > 4725448580%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2
> > > luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=r02tET
> > > ufnbF8nvwGQkwPR%2FO1NOlLdYAM1cXgBrnFG58%3D&reserved=0rt.microsoft
> > > .com%2Fglobalenglish&data=05%7C01%7Cjeffm%40microsoft.com%7C5a06b
> > > a8e5597421a203a08dba2d94bcd%7C72f988bf86f141af91ab2d7cd011db47%7C
> > > 1%7C0%7C638282826407736325%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLj
> > > AwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C
> > > %7C&sdata=tVzSZdkLQwee9MFR%2Foz07SNAVeQS%2BWj6r6etmXaLddE%3D&rese
> > > rved=0 | Extension 1138300
> > > -----Original Message-----From: Hung-Chun Yu <
> > > HungChun.Yu at microsoft.com>Sent: Thursday, August 17, 2023 9:44
> > > PMTo: Joseph Sutton <jsutton at samba.org>;
> > > cifs-protocol at lists.samba.org
> > > Cc: Microsoft Support <supportmail at microsoft.com>; Hung-Chun Yu <
> > > HungChun.Yu at microsoft.com>Subject: [MS-KILE] Certificate strings
> > > - but nothing is said as to how these strings are to be derived
> > > from the client’s certificate -TrackingID#2308180010001826
> > > [bcc dochelp]Hi Joseph
> > > Thank you for contacting Protocol Support. We created SR Case -
> > > TrackingID#2308180010001826. Do leave this tag in the subject
> > > line for future references.One of our engineers will be
> > > contacting you shortly.
> > > Hung-Chun Yuhunyu at microsoft.com
> > >
> > > -----Original Message-----From: Joseph Sutton <jsutton at samba.org>
> > > Sent: Thursday, August 17, 2023 7:26 PMTo:
> > > cifs-protocol at lists.samba.org; Interoperability Documentation
> > > Help <dochelp at microsoft.com>Subject: [EXTERNAL] [MS-KILE]
> > > Certificate strings
> > > [Some people who received this message don't often get email from
> > > jsutton at samba.org. Learn why this is important at
> > > https://aka.ms/LearnAboutSenderIdentification ]
> > > Hi dochelp,
> > > [MS-KILE] 3.3.5.6.4.6, “PAC_CLIENT_CLAIMS_INFO Structure”,
> > > mentions that the KDC should call GetClaimsForPrincipal() to get
> > > the claims blob with which to populate the PAC_CLIENT_CLAIMS_INFO
> > > structure. One of the parameters to GetClaimsForPrincipal(),
> > > namely “pCertificateStringsArray”, comprises “[a] set of Unicode
> > > strings”, but nothing is said as to how these strings are to be
> > > derived from the client’s certificate.
> > > Can you outline the procedure by which these strings are formed,
> > > and perhaps provide an example of such a string?
> > > Regards,Joseph
>
> _______________________________________________cifs-protocol mailing
> listcifs-protocol at lists.samba.org
> https://lists.samba.org/mailman/listinfo/cifs-protocol
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/Samba Team Member (since 2001) https://samba.orgSamba Team Lead https://catalyst.net.nz/services/sambaCatalyst.Net Ltd
Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
company
Samba Development and Support: https://catalyst.net.nz/services/samba
Catalyst IT - Expert Open Source Solutions
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20230927/aab513d3/attachment.htm>
More information about the cifs-protocol
mailing list