[cifs-protocol] [REG: 116050614132786] [MS-KILE] - DER encoding of KVNO

Edgar Olougouna edgaro at microsoft.com
Fri May 6 17:31:03 UTC 2016 

Uri,
Windows KILE key version numbers are signed 32-bit integers. Windows KDC does not accept 5 bytes Kvno and does not return errors on “malformed” packets as that can be used to setup a DoS flood attack. 
The first 16 bits of the kvno, including the most significant bit, are an unsigned 16-bit number that SHOULD identify the RODC (if it’s RODC). The remaining 16 bits SHOULD be the version number of the key.
KILE has a deviation from [RFC4120] which defines kvno as Uint32. 
For interop, MIT implementation also uses the signed 32-bit integer.

Maybe I use add a few lines to my blog.
https://blogs.msdn.microsoft.com/openspecification/2011/05/11/notes-on-kerberos-kvno-in-windows-rodc-environment/


Thanks,
Edgar

-----Original Message-----
From: Edgar Olougouna 
Sent: Friday, May 6, 2016 10:57 AM
To: Uri Simchoni <uri at samba.org>
Cc: cifs-protocol at lists.samba.org; Ralph Böhme <slow at samba.org>; MSSolve Case Email <casemail at microsoft.com>
Subject: RE: [REG: 116050614132786] [MS-KILE] - DER encoding of KVNO

Uri,
I am reviewing this and will follow-up soon.

Thanks,
Edgar

-----Original Message-----
From: Kamil Sykora 
Sent: Thursday, May 5, 2016 8:13 PM
To: Uri Simchoni <uri at samba.org>
Cc: cifs-protocol at lists.samba.org; Ralph Böhme <slow at samba.org>; MSSolve Case Email <casemail at microsoft.com>
Subject: RE: [REG: 116050614132786] [MS-KILE] - DER encoding of KVNO

[BCC: dochelp, CC: casemail]

Hello Uri,

Thank you for your question. I have created incident 116050614132786 to track your issue. One of our team members will contact you shortly.

Thanks,
Kamil
 
Kamil Sykora
Microsoft Open Specifications


-----Original Message-----
From: Uri Simchoni [mailto:uri at samba.org] 
Sent: Thursday, May 5, 2016 5:26 PM
To: Interoperability Documentation Help <dochelp at microsoft.com>
Cc: cifs-protocol at lists.samba.org; Ralph Böhme <slow at samba.org>
Subject: [MS-KILE] - DER encoding of KVNO


Hi,

This is in reference to Samba bug
https://bugzilla.samba.org/show_bug.cgi?id=11900. I seek clarification on encoding of Kerberos tickets.

We've found that when generating a TGS request, the Kerberos library that's bundled with Samba encodes a KVNO larger than 0x7fffffff using  5 bytes, and this seems to upset Windows domain controllers (2003R2 and 2008R2), which seem to expect a maximum of 4 bytes in the KVNO. We've demonstrated that encoding the KVNO in 4 bytes fixes the issue.

We easily get to such high KVNO when working against an RODC which is configured to cache our machine account password. In that case the TGT we get has a high KVNO because it's made up of two fields. It appears that we decode and re-encode the TGT (the unencrypted parts) before sending it in a TGS-REQ.

According to RFC 4120, a KVNO is an unsigned 32-bit integer, and according to DER, such an integer in the range of 0x80000000-0xFFFFFFFF has to be encoded using 5 bytes, so it seems Samba's in compliance with the standard here.

Can you confirm that Windows expects up to 4 bytes in the KVNO? If yes, can it be said that Windows is too restrictive here?

Thanks,
Uri.

More information about the cifs-protocol mailing list