[cifs-protocol] [REG:110062157456375] -[MS-ADTS] 7.1.6.7.3 msDs-supportedEncryptionTypes usage

Bryan Burgin bburgin at microsoft.com
Fri Jul 9 14:53:09 MDT 2010 

Andrew,

I received the following response from the product group, which I am forwarding for your feedback.  Please let me know if this resolves your question.

[MS-KILE] Section 3.3.1.1 "Account Database Extensions" specifies the account database extension which impacts KDC behavior:

KerbSupportedEncryptionTypes: A 32-bit unsigned integer that contains a combination of flags that specify what encryption types (section 2.2.5) are supportedby the application server.<24> KILE implementations that use an Active Directory for the accountdatabase SHOULD use the msDS-SupportedEncryptionTypes attribute ([MS-ADA2] section 2.324).

[MS-KILE] Section 3.3.5.3 "AS Exchange" specifies the behavior during AS_REQ processing:

If the krbtgt account has a KerbSupportedEncryptionTypes populated with supported encryption types, then the KDC SHOULD<28> return in the encrypted part ([Referrals-11], Appendix A) of AS-REP message PA-DATA with padata-type set to PA-SUPPORTED-ENCTYPES(165), to indicate what encryption types are supported by the domain KDCs. If not, the KDC SHOULD check if the krbtgt account has the UseDESOnly flag and if set to:
§             TRUE: the KDC SHOULD, in the encrypted pre-auth data part ([Referrals-11], Appendix A) of the AS-REP message, include PA-DATA with the padata-type set to PA-SUPPORTED-ENCTYPES (165), and the padata-value set to 0x3 (Section 2.2.5).
§             FALSE: the KDC SHOULD, in the encrypted pre-auth data part ([Referrals-11], Appendix A) of the AS-REP message, include PA-DATA with the padata-type set to PA-SUPPORTED-ENCTYPES (165), and the padata-value set to 0x7 (Section 2.2.5).

[MS-KILE] Section 3.3.5.4 "TGS Exchange" specifies the behavior during the TGS_REQ processing:

If the server or service has a KerbSupportedEncryptionTypes populated with supported encryption types, then the KDC SHOULD<31> return in the encrypted part ([Referrals-11] Appendix A) of TGS-REP message PA-DATA with padata-type set to PA-SUPPORTED-ENCTYPES (165), to indicate what encryption types are supported by the server or service. If not, the KDC SHOULD<32> check the server or service account's UseDESOnly and if set to:
§             TRUE: the KDC SHOULD, in the encrypted pre-auth data part ([Referrals-11], Appendix A) of the TGS-REP message, include PA-DATA with the padata-type set to PA-SUPPORTED-ENCTYPES (165), and the padata-value set to 0x3 (Section 2.2.5).
§             FALSE: the KDC SHOULD, in the encrypted pre-auth data part ([Referrals-11], Appendix A) of the TGS-REP message, include PA-DATA with padata-type set to PA-SUPPORTED-ENCTYPES (165), and the padata-value set to 0x7 (Section 2.2.5).

Bryan

From: Bryan Burgin
Sent: Wednesday, July 07, 2010 1:46 PM
To: Andrew Bartlett (abartlet at samba.org); 'pfif at tridgell.net'; 'cifs-protocol at samba.org'; 'mat+Informatique.Samba at matws.net'
Cc: MSSolve Case Email; Edgar Olougouna
Subject: [REG:110062157456375] -[MS-ADTS] 7.1.6.7.3 msDs-supportedEncryptionTypes usage


Andrew,

Edgar is going to be out of the office for a bit.  I will be handling this issue for you in his absence.  He has an inquiry filed with the product group.  I just pinged them to let them know that I'm their new contact.  As soon as I have more information, I'll let you know.

Bryan


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20100709/b0d4feb1/attachment.html>

More information about the cifs-protocol mailing list