[cifs-protocol] [REG:116052814221908] Validated-Writes of servicePrincipalNames
srenaden at microsoft.com
Wed Jun 8 19:52:22 UTC 2016
Hello Stefan, simple tests at my end using a test domain controller shows that all of the following values are allowed by MS Windows domain controller. Before I propose any doc changes, can you confirm which domain controller you have used when you say "Testing against a Windows DC shows that **only** numeric characters are allowed after ':'" Did you mean to say the domain controller itself failed to add such SPN ? Or are you saying that it is the SQL Server that didn't find an SPN that has a nonnumeric character after ":" ?
C:\Users\Administrator>setspn -A MSSQLSvc/myhost.379135DOM.LAB:1433 lvisser
C:\Users\Administrator>setspn -A MSSQLSvc/myhost.379135DOM.LAB:MYINST1 lvisser
C:\Users\Administrator>setspn -A MSSQLSvc/myhost.379135DOM.LAB/MYINST2 lvisser
C:\Users\Administrator>setspn -l lvisser
Registered ServicePrincipalNames for CN=lora visser,CN=Users,DC=379135DOM,DC=LAB:
You can even have MSSQLSvc/myhost.379135DOM.LAB:8989797/MYINST2
But ultimately, If the SPN does not match the string as constructed by the Service i.e. SQL Server in this case, authentication will fail.
Microsoft Windows Open Specifications
From: Sreekanth Nadendla
Sent: Saturday, May 28, 2016 9:22 PM
To: Stefan Metzmacher; cifs-protocol at lists.samba.org
Cc: MSSolve Case Email
Subject: RE: [REG:116052814221908] Validated-Writes of servicePrincipalNames
Hi Metze, I will be assisting you with your issue.
From: Bryan Burgin
Sent: Saturday, May 28, 2016 9:56 AM
To: Stefan Metzmacher <metze at samba.org>; cifs-protocol at lists.samba.org
Cc: MSSolve Case Email <casemail at microsoft.com>
Subject: [REG:116052814221908] Validated-Writes of servicePrincipalNames
[Dochelp to bcc]
Thank you for your question. We created SR 116052814221908 to track this issue. An engineer will contact you soon.
From: Stefan Metzmacher [mailto:metze at samba.org]
Sent: Friday, May 27, 2016 9:57 AM
To: Interoperability Documentation Help <dochelp at microsoft.com>; cifs-protocol at lists.samba.org
Subject: Validated-Writes of servicePrincipalNames
we have seen client registering servicePrincipalNames like MSSQLSvc/YOURHOST.TESTDOMAIN.COM:SOPHOS.
We're rejecting them. As we didn't know about the :port part.
As MS-ADTS 126.96.36.199.188.8.131.52 servicePrincipalName doesn't specify this optional part.
Testing against a Windows DC shows that only numeric characters are allowed after ':'. It seems it doesn't need to be a valid tcp/udp port number. It works with '99999'.
As I also found a number of google hits were people use things like:
MSSQLSvc/YOURHOST.TESTDOMAIN.COM:MSSQLSERVER2008 or others with non numeric :port parts.
Can update the MS-ADTS 184.108.40.206.220.127.116.11 servicePrincipalName section to be more detailed with what is and what is not allowed, maybe together with some examples.
https://msdn.microsoft.com/en-us/library/ms191153.aspx contains some information, but the following is a bit unclear to me:
That should allow "MSSQLSvc/FQDN:SOMENAME" or it has to be
It would be nice to get some hints what we have to implement.
More information about the cifs-protocol