<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal">Hi Isaac, <o:p></o:p></p>
<p class="MsoNormal">Product group confirms that this is the case in which the evidence ticket is not forwardable, i.e. the user is marked as sensitive and may not be delegated. In that case, it doesn’t matter whether the delegation would otherwise be allowed.<o:p></o:p></p>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt"><o:p> </o:p></span></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Regards,<o:p></o:p></p>
<p class="MsoNormal">Sreekanth Nadendla<o:p></o:p></p>
<p class="MsoNormal">Microsoft Windows Open Specifications<o:p></o:p></p>
<div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt;color:black"><o:p> </o:p></span></p>
</div>
<div class="MsoNormal" align="center" style="text-align:center">
<hr size="2" width="98%" align="center">
</div>
<div id="divRplyFwdMsg">
<p class="MsoNormal"><b><span style="color:black">From:</span></b><span style="color:black"> Isaac Boukris <<a href="mailto:iboukris@gmail.com">iboukris@gmail.com</a>><br>
<b>Sent:</b> Tuesday, January 28, 2020 9:10 AM<br>
<b>To:</b> Interoperability Documentation Help <<a href="mailto:dochelp@microsoft.com">dochelp@microsoft.com</a>>; Greg Hudson <<a href="mailto:ghudson@mit.edu">ghudson@mit.edu</a>>;
<a href="mailto:cifs-protocol@lists.samba.org">cifs-protocol@lists.samba.org</a> <<a href="mailto:cifs-protocol@lists.samba.org">cifs-protocol@lists.samba.org</a>><br>
<b>Subject:</b> [EXTERNAL] Clarification request on recent errata of MS-SFU from 2019/12/09</span>
<o:p></o:p></p>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal">Hello dochelp,<br>
<br>
I noticed some changes to MS-SFU with regard to S4U2Proxy.<br>
<a href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fopenspecs%2Fwindows_protocols%2Fms-winerrata%2F68c4fd08-207c-4353-b59d-4d281edfb6bf&data=02%7C01%7Csrenaden%40microsoft.com%7C3f27c4046ddc4a034da508d7a41ed7eb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637158324691654419&sdata=PLSx1WB2MfLUXSzogEk3J9S3pkoN9HJZlzaCQh2c8XQ%3D&reserved=0">https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fopenspecs%2Fwindows_protocols%2Fms-winerrata%2F68c4fd08-207c-4353-b59d-4d281edfb6bf&data=02%7C01%7CHungChun.Yu%40microsoft.com%7Ce12ab5b14189455d889c08d7a41528cd%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637158283089556045&sdata=j%2FAypN1BjcAbfUrMUwbfqMk41QXw4E2m3pUXMBN%2BAEI%3D&reserved=0</a><br>
<br>
The changes mostly makes sense, apart from the following new section<br>
I'm having hard time with, quote:<br>
<br>
If the service ticket in the additional-tickets field is not set to<br>
forwardable<19> and the PA-PAC-OPTIONS [167] ([MS-KILE] section<br>
2.2.10) padata type has the resource-based constrained delegation bit<br>
set, then the KDC MUST return KRB-ERR-BADOPTION with STATUS_NO_MATCH.<br>
<br>
Unquote.<br>
<br>
If the RBCD bit is set, shouldn't the KDC try to match in<br>
ServicesAllowedToReceiveForwardedTicketsFrom, as it follows in the<br>
document ?<br>
<br>
Thank you<o:p></o:p></p>
</div>
</div>
</div>
</div>
</body>
</html>