[cifs-protocol] RE: Other types of Kerberos messages on SamLogon Generic

Hongwei Sun hongweis at microsoft.com
Mon Sep 8 00:01:02 GMT 2008


   I went through the logic of the generic pass through function in Kerberos package for both Windows server 2003 and 2008.  I found that it only processes KerbVerifyPacMessage (0x03).  For any other message types, STATUS_ACCESS_DENIED should be returned.

   Could you give me more information about your testing ?  Which version of Windows server did you use ?   Did you just use a KERB_VERIFY_PAC_REQUEST structure as LogonInformation passed to NetrLogonSamLogon() and set MessageType from 0x00 to 0xFF ?   If you can send us a network trace to show that NT_STATUS_OK is returned for any message type other than 0x03, it would be really helpful.


Hongwei  Sun - Sr. Support Escalation Engineer
DSC Protocol  Team, Microsoft
hongweis at microsoft.com
Tel:  469-7757027 x 57027

From: Andrew Bartlett [abartlet at samba.org]
Sent: Tuesday, September 02, 2008 11:06 PM
To: Interoperability Documentation Help
Cc: pfif at tridgell.net; cifs-protocol at samba.org
Subject: Other types of Kerberos messages on SamLogon Generic

MS-APDS describes only one Generic message type (0x3) for the
Package "Kerberos".  However, Microsoft servers still return
NT_STATUS_OK on a message type in the range 0x0..0xff (for example).
What other message types are valid on this Package, and what are their


Andrew Bartlett
Andrew Bartlett
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.

More information about the cifs-protocol mailing list