[cifs-protocol] [REG: 210031349737651001 ] MS-KILE and ad-type 142 ?

Obaid Farooqi obaidf at microsoft.com
Thu Mar 25 09:19:31 MDT 2010

Hi Simo:
We have finished our investigation on your question regarding authorization data type 142. Following text will be added in a future release of MS-KILE.

The KERB-LOOPBACK structure contains the pointer to the credential object for the client and a system time.<WB1> typedef struct _KERB_LOOP_BACK {
    PCREDENTIAL Credential;
    ULONG64 SystemUpTime;
Credential: Address of the credential object. 
ServiceUpTime: The number of milliseconds that have elapsed since the service was started.   Service Up Time
KILE implements a counter of the number of milliseconds that have elapsed since the service was started. <WB2>

Following text will be added to the end of section AP Exchange:
When server name is not Krbtgt, the client SHOULD send KERB_LOOPBACK (142), containing an authorization data field ([RFC4120] section 5.2.6) of type KERB-LOOPBACK structure (Section 2.2.7) <WB1>.  

Following text will be added at the end of section 3.4.5   Message Processing Events and Sequencing Rules:
If the credential at KERB-LOOPBACK.Credential address on the server is the same credential as in the service ticket, the server SHOULD process the authentication as a local ISC call instead of as an AP-REQ message. <WB1>.  

The following notes will be added to section 6   Appendix A: Product Behavior
<WB1> Windows 7 and Windows Server 2008 R2 support transmitting KERB-LOOPBACK.
<WB2> In Windows 7, and Windows Server 2008 R2, the number of milliseconds that have elapsed since the system was started is sent on the wire. This time is not used by KILE.

Please let me know if it answers your question. If it does, I'll consider this issue resolved.

Obaid Farooqi
Sr. Support Escalation Engineer | Microsoft

-----Original Message-----
From: simo [mailto:idra at samba.org] 
Sent: Friday, March 12, 2010 5:53 PM
To: Interoperability Documentation Help
Cc: pfif at tridgell.net; cifs-protocol at samba.org
Subject: CAR: MS-KILE and ad-type 142 ?

Dear Dochelp,
while researching forest trust relationships between a Windows 2008 R2 Domain Controller and a Samba 4 Domain Controller I found out that the Windows domain controller creates Kerberos packets containing an unknown auth data type 142

MS-KILE references types 141 and 143 in section " AP Exchange", but I could fine no mention of 142.

Can you please document it ?


Simo Sorce
Samba Team GPL Compliance Officer <simo at samba.org> Principal Software Engineer at Red Hat, Inc. <simo at redhat.com>

More information about the cifs-protocol mailing list