[cifs-protocol] [REG: 116050614132786] [MS-KILE] - DER encoding of KVNO

Kamil Sykora kamils at microsoft.com
Fri May 6 01:13:02 UTC 2016

[BCC: dochelp, CC: casemail]

Hello Uri,

Thank you for your question. I have created incident 116050614132786 to track your issue. One of our team members will contact you shortly.

Kamil Sykora
Microsoft Open Specifications

-----Original Message-----
From: Uri Simchoni [mailto:uri at samba.org] 
Sent: Thursday, May 5, 2016 5:26 PM
To: Interoperability Documentation Help <dochelp at microsoft.com>
Cc: cifs-protocol at lists.samba.org; Ralph Böhme <slow at samba.org>
Subject: [MS-KILE] - DER encoding of KVNO


This is in reference to Samba bug
https://bugzilla.samba.org/show_bug.cgi?id=11900. I seek clarification on encoding of Kerberos tickets.

We've found that when generating a TGS request, the Kerberos library that's bundled with Samba encodes a KVNO larger than 0x7fffffff using  5 bytes, and this seems to upset Windows domain controllers (2003R2 and 2008R2), which seem to expect a maximum of 4 bytes in the KVNO. We've demonstrated that encoding the KVNO in 4 bytes fixes the issue.

We easily get to such high KVNO when working against an RODC which is configured to cache our machine account password. In that case the TGT we get has a high KVNO because it's made up of two fields. It appears that we decode and re-encode the TGT (the unencrypted parts) before sending it in a TGS-REQ.

According to RFC 4120, a KVNO is an unsigned 32-bit integer, and according to DER, such an integer in the range of 0x80000000-0xFFFFFFFF has to be encoded using 5 bytes, so it seems Samba's in compliance with the standard here.

Can you confirm that Windows expects up to 4 bytes in the KVNO? If yes, can it be said that Windows is too restrictive here?


More information about the cifs-protocol mailing list