[cifs-protocol] [REG:116052814221908] Validated-Writes of servicePrincipalNames
Sreekanth Nadendla
srenaden at microsoft.com
Mon Jun 20 21:44:21 UTC 2016
Hello Stefan, you might be working on other issues and didn't get a chance to review my e-mail below. I'm going to archive this temporarily and revisit this issue as soon as you are ready to provide me the details of your test environment where Windows domain controller doesn't allow an SPN with non-numeric characters after colon.
Regards,
Sreekanth Nadendla
Microsoft Windows Open Specifications
-----Original Message-----
From: Sreekanth Nadendla
Sent: Wednesday, June 8, 2016 3:52 PM
To: 'Stefan Metzmacher'; 'cifs-protocol at lists.samba.org'
Cc: MSSolve Case Email
Subject: RE: [REG:116052814221908] Validated-Writes of servicePrincipalNames
Hello Stefan, simple tests at my end using a test domain controller shows that all of the following values are allowed by MS Windows domain controller. Before I propose any doc changes, can you confirm which domain controller you have used when you say "Testing against a Windows DC shows that **only** numeric characters are allowed after ':'" Did you mean to say the domain controller itself failed to add such SPN ? Or are you saying that it is the SQL Server that didn't find an SPN that has a nonnumeric character after ":" ?
C:\Users\Administrator>setspn -A MSSQLSvc/myhost.379135DOM.LAB:1433 lvisser
C:\Users\Administrator>setspn -A MSSQLSvc/myhost.379135DOM.LAB:MYINST1 lvisser
C:\Users\Administrator>setspn -A MSSQLSvc/myhost.379135DOM.LAB/MYINST2 lvisser
C:\Users\Administrator>setspn -l lvisser
Registered ServicePrincipalNames for CN=lora visser,CN=Users,DC=379135DOM,DC=LAB:
MSSQLSvc/myhost.379135DOM.LAB/MYINST2
MSSQLSvc/myhost.379135DOM.LAB:MYINST1
MSSQLSvc/myhost.379135DOM.LAB:1433
You can even have MSSQLSvc/myhost.379135DOM.LAB:8989797/MYINST2
But ultimately, If the SPN does not match the string as constructed by the Service i.e. SQL Server in this case, authentication will fail.
Regards,
Sreekanth Nadendla
Microsoft Windows Open Specifications
-----Original Message-----
From: Sreekanth Nadendla
Sent: Saturday, May 28, 2016 9:22 PM
To: Stefan Metzmacher; cifs-protocol at lists.samba.org
Cc: MSSolve Case Email
Subject: RE: [REG:116052814221908] Validated-Writes of servicePrincipalNames
Hi Metze, I will be assisting you with your issue.
Regards,
Sreekanth
-----Original Message-----
From: Bryan Burgin
Sent: Saturday, May 28, 2016 9:56 AM
To: Stefan Metzmacher <metze at samba.org>; cifs-protocol at lists.samba.org
Cc: MSSolve Case Email <casemail at microsoft.com>
Subject: [REG:116052814221908] Validated-Writes of servicePrincipalNames
[Dochelp to bcc]
[+Casemail]
Hi Metze
Thank you for your question. We created SR 116052814221908 to track this issue. An engineer will contact you soon.
Bryan
-----Original Message-----
From: Stefan Metzmacher [mailto:metze at samba.org]
Sent: Friday, May 27, 2016 9:57 AM
To: Interoperability Documentation Help <dochelp at microsoft.com>; cifs-protocol at lists.samba.org
Subject: Validated-Writes of servicePrincipalNames
Hi DocHelp,
we have seen client registering servicePrincipalNames like MSSQLSvc/YOURHOST.TESTDOMAIN.COM:SOPHOS.
We're rejecting them. As we didn't know about the :port part.
As MS-ADTS 3.1.1.5.3.1.1.4 servicePrincipalName doesn't specify this optional part.
Testing against a Windows DC shows that only numeric characters are allowed after ':'. It seems it doesn't need to be a valid tcp/udp port number. It works with '99999'.
As I also found a number of google hits were people use things like:
MSSQLSvc/YOURHOST.TESTDOMAIN.COM:MSSQLSERVER2008 or others with non numeric :port parts.
Can update the MS-ADTS 3.1.1.5.3.1.1.4 servicePrincipalName section to be more detailed with what is and what is not allowed, maybe together with some examples.
https://msdn.microsoft.com/en-us/library/ms191153.aspx contains some information, but the following is a bit unclear to me:
MSSQLSvc/FQDN:[port|instancename]
That should allow "MSSQLSvc/FQDN:SOMENAME" or it has to be
MSSQLSvc/FQDN[:port][/instancename]
or
MSSQLSvc/FQDN[:port|/instancename]
It would be nice to get some hints what we have to implement.
Thanks!
metze
More information about the cifs-protocol
mailing list