[cifs-protocol] [REG:110092746298128] RE: krbtgt key to sign PAC with on an RODC

Sebastian Canevari Sebastian.Canevari at microsoft.com
Mon Sep 27 14:50:40 MDT 2010


Hi Andrew,

I'll be helping you out with this case.

As soon as I have answers or questions, I'll let you know.

Thanks and regards,

Sebastian

Sebastian Canevari
Escalation Engineer, US-CSS DSC PROTOCOL TEAM
7100 N Hwy 161, Irving, TX - 75039
"Las Colinas - LC2"
Tel: +1 469 775 7849
e-mail: sebastc at microsoft.com


-----Original Message-----
From: Tom Jebo 
Sent: Monday, September 27, 2010 7:58 AM
To: Andrew Bartlett; Interoperability Documentation Help
Cc: cifs-protocol at samba.org; MSSolve Case Email
Subject: {REG:110092746298128] RE: krbtgt key to sign PAC with on an RODC

Good morning Andrew, 

Thank you for your question regarding [MS-PAC].  One of the Open Specifications engineers with followup with you shortly.   Your case number for reference is: 110092746298128

Best regards,
Tom Jebo
Escalation Engineer
Microsoft Open Specifications

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org] 
Sent: Monday, September 27, 2010 7:25 AM
To: Interoperability Documentation Help
Cc: cifs-protocol at samba.org
Subject: krbtgt key to sign PAC with on an RODC

If a RODC signs the PAC with the krbtgt key of the RODC, how is this marked in the PAC, so that another DC can verify the PAC if presented over NetLogon?

MS-PAC 2.8.2 KDC Signature does not make this very clear. 

Does a RODC not provide this signature, as it can't get a the krbtgt key, or does it use it's own krbtgt?  

Andrew Bartlett
-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.



More information about the cifs-protocol mailing list