[cifs-protocol] [REG:114082011718524] 114082011718524 NTLM username / password routing on member servers and on an AD DC

Obaid Farooqi obaidf at microsoft.com
Tue Sep 16 15:11:33 MDT 2014 

Hi Andrew:
We have finished our investigation on this issue. Please find the answer to your question as follows in Q&A format:

Q. does user have this SPN?
A. When a request comes to a DC, it first try to find the domain that is specified in the DomainName field of the AUTHENTICATE_MESSAGE. If the domain matches with the local domain, then SAM is used.
If the user did not ask for the local domain, DC check to see if the DomainName exists in the trusted domain list. 
If the DomainName is not in the trusted domain list, DC tries to query GC to see if a name exist there.
If that fails, DC tries to login user as guest. 
If that fails, no such user error is returned.

Please let me know if it does not answer your question.


Regards,
Obaid Farooqi
Escalation Engineer | Microsoft

Exceeding your expectations is my highest priority.  If you would like to provide feedback on your case you may contact my manager at nkang at Microsoft dot com

-----Original Message-----
From: Obaid Farooqi 
Sent: Thursday, September 11, 2014 12:24 AM
To: 'Andrew Bartlett'
Cc: cifs-protocol at samba.org; MSSolve Case Email
Subject: RE: [REG:114082011718524] 114082011718524 NTLM username / password routing on member servers and on an AD DC

Hi Andrew:
Please see the answer to your questions in Q&A fashion as follows:

Q. How does the DC work out what Domain to send it to, when it is one of many domains in a complex trusted domain tree?
A. If the server is a DC, the processing steps are described in section " 3.5.4.5.1 NetrLogonSamLogonEx (Opnum 39)". Specifically, the discussion about trusted domains that starts as follows: 

"
If the request is not for the domain of which the server is a member and the server is a DC, then the server MUST perform external behavior consistent with locally invoking LsarQueryTrustedDomainInfoByName (MS-LSAD section 3.1.4.7.5), using the following Parameters.....
"
Please consult MS-NRPC for a full discussion.

Q. This happens, apparently, when logging on to a domain that doesn't actually exist (eg, an unrelated random name as the domain or workgroup).
A. There is a discussion of authoritative flag in MS-NRPC section "3.5.4.5.1 NetrLogonSamLogonEx (Opnum 39)" as follows:
"
This Boolean value indicates whether the validation information is final. This field is necessary because the request might be forwarded through multiple servers. The value TRUE indicates that the validation information is an authoritative response and MUST remain unchanged. The value FALSE SHOULD indicate that the validation information is not an authoritative response and that the client can resend the request to another server.
"
I my testing, when an unknow domain is specified, I always got Authoritative response.

Q. does user have this SPN?
A. Can you please elaborate more on this question? 

Regards,
Obaid Farooqi
Escalation Engineer | Microsoft

Exceeding your expectations is my highest priority.  If you would like to provide feedback on your case you may contact my manager at nkang at Microsoft dot com

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Monday, September 8, 2014 7:30 PM
To: Obaid Farooqi
Cc: cifs-protocol at samba.org; MSSolve Case Email
Subject: Re: [REG:114082011718524] 114082011718524 NTLM username / password routing on member servers and on an AD DC

On Mon, 2014-09-08 at 16:33 +0000, Obaid Farooqi wrote:
> Hi Andrew:
> The answers to your questions is in MS-NRPC, specifically in sections "1.3.1 Pass-Through Authentication" and "1.3.2 Pass-Through Authentication and Domain Trusts".
> 
> I cannot advise you on how to implement this in your environment but I can tell you how Windows does it. 
> 
> As far as how windows does it, here is what happens in windows:
> 
> 1. first it is determined if the server (machine receiving the ntlm 
> authenticate message) is a member of a domain or not. If the server is 
> not a member of a domain, then SAM is tried right away.
> 2. If the server is a member of the domain, netlogon is the default 
> method. But before shipping the logon request to DC, the server tries 
> the SAM first and in case of a failure, sends the request to DC.

OK. 

> I did not see any difference in processing when the server is just a member server or DC (non GC). 

How does the DC work out what Domain to send it to, when it is one of many domains in a complex trusted domain tree?

> I was not able to reproduce the situation in which a DC returns a 
> non-authoritative response. I tried it in the situation where there is 
> one root DC with two child DCs and a member server that is joined to 
> one child domains. If you can please let me know a scenario where DC 
> returns non-authoritative and I'll see what windows does.

This happens, apparently, when logging on to a domain that doesn't actually exist (eg, an unrelated random name as the domain or workgroup).  

> I'll update you on the following question as I continue my investigation on rootDC:
> 1. does user have this SPN?

Thanks,

Andrew Bartlett

--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the cifs-protocol mailing list