[cifs-protocol] [REG:116052814221908] Validated-Writes of servicePrincipalNames

Sreekanth Nadendla srenaden at microsoft.com
Mon Jun 20 21:44:21 UTC 2016 

Hello Stefan, you might be working on other issues and didn't get a chance to review my e-mail below. I'm going to archive this temporarily and revisit this issue as soon as you are ready to provide me the details of your test environment where Windows domain controller doesn't allow an SPN with non-numeric characters after colon. 


Regards,
Sreekanth Nadendla
Microsoft Windows Open Specifications

-----Original Message-----
From: Sreekanth Nadendla 
Sent: Wednesday, June 8, 2016 3:52 PM
To: 'Stefan Metzmacher'; 'cifs-protocol at lists.samba.org'
Cc: MSSolve Case Email
Subject: RE: [REG:116052814221908] Validated-Writes of servicePrincipalNames

Hello Stefan, simple tests at my end using a test domain controller shows that all of the following values are allowed by MS Windows domain controller. Before I propose any doc changes, can you confirm which domain controller you have used when you say "Testing against a Windows DC shows that **only** numeric characters are allowed after ':'" Did you mean to say the domain controller itself failed to add such SPN ? Or are you saying that it is the SQL Server that didn't find an SPN that has a nonnumeric character after ":"  ?



C:\Users\Administrator>setspn -A MSSQLSvc/myhost.379135DOM.LAB:1433   lvisser

C:\Users\Administrator>setspn -A MSSQLSvc/myhost.379135DOM.LAB:MYINST1   lvisser

C:\Users\Administrator>setspn -A MSSQLSvc/myhost.379135DOM.LAB/MYINST2   lvisser

C:\Users\Administrator>setspn -l lvisser

Registered ServicePrincipalNames for CN=lora visser,CN=Users,DC=379135DOM,DC=LAB:

        MSSQLSvc/myhost.379135DOM.LAB/MYINST2
        MSSQLSvc/myhost.379135DOM.LAB:MYINST1
        MSSQLSvc/myhost.379135DOM.LAB:1433


You can even have MSSQLSvc/myhost.379135DOM.LAB:8989797/MYINST2


But ultimately, If the SPN does not match the string as constructed by the Service i.e. SQL Server in this case, authentication will fail.




Regards,
Sreekanth Nadendla
Microsoft Windows Open Specifications

-----Original Message-----
From: Sreekanth Nadendla 
Sent: Saturday, May 28, 2016 9:22 PM
To: Stefan Metzmacher; cifs-protocol at lists.samba.org
Cc: MSSolve Case Email
Subject: RE: [REG:116052814221908] Validated-Writes of servicePrincipalNames

Hi Metze, I will be assisting you with your issue.

Regards,
Sreekanth

-----Original Message-----
From: Bryan Burgin 
Sent: Saturday, May 28, 2016 9:56 AM
To: Stefan Metzmacher <metze at samba.org>; cifs-protocol at lists.samba.org
Cc: MSSolve Case Email <casemail at microsoft.com>
Subject: [REG:116052814221908] Validated-Writes of servicePrincipalNames

[Dochelp to bcc]
[+Casemail]

Hi Metze

Thank you for your question.  We created SR 116052814221908 to track this issue.  An engineer will contact you soon.

Bryan

-----Original Message-----
From: Stefan Metzmacher [mailto:metze at samba.org] 
Sent: Friday, May 27, 2016 9:57 AM
To: Interoperability Documentation Help <dochelp at microsoft.com>; cifs-protocol at lists.samba.org
Subject: Validated-Writes of servicePrincipalNames

Hi DocHelp,

we have seen client registering servicePrincipalNames like MSSQLSvc/YOURHOST.TESTDOMAIN.COM:SOPHOS.

We're rejecting them. As we didn't know about the :port part.
As MS-ADTS 3.1.1.5.3.1.1.4 servicePrincipalName doesn't specify this optional part.

Testing against a Windows DC shows that only numeric characters are allowed after ':'. It seems it doesn't need to be a valid tcp/udp port number. It works with '99999'.

As I also found a number of google hits were people use things like:
MSSQLSvc/YOURHOST.TESTDOMAIN.COM:MSSQLSERVER2008 or others with non numeric :port parts.

Can update the MS-ADTS 3.1.1.5.3.1.1.4 servicePrincipalName section to be more detailed with what is and what is not allowed, maybe together with some examples.

https://msdn.microsoft.com/en-us/library/ms191153.aspx contains some information, but the following is a bit unclear to me:

  MSSQLSvc/FQDN:[port|instancename]

That should allow "MSSQLSvc/FQDN:SOMENAME" or it has to be

  MSSQLSvc/FQDN[:port][/instancename]
or
  MSSQLSvc/FQDN[:port|/instancename]

It would be nice to get some hints what we have to implement.

Thanks!
metze

More information about the cifs-protocol mailing list