[cifs-protocol] Validated-Writes of servicePrincipalNames
metze at samba.org
Fri May 27 16:56:54 UTC 2016
we have seen client registering servicePrincipalNames like
We're rejecting them. As we didn't know about the :port part.
As MS-ADTS 188.8.131.52.184.108.40.206 servicePrincipalName doesn't specify this
Testing against a Windows DC shows that only numeric characters are
':'. It seems it doesn't need to be a valid tcp/udp port number. It
works with '99999'.
As I also found a number of google hits were people use things like:
MSSQLSvc/YOURHOST.TESTDOMAIN.COM:MSSQLSERVER2008 or others with non
Can update the MS-ADTS 220.127.116.11.18.104.22.168 servicePrincipalName section
to be more detailed with what is and what is not allowed, maybe together
with some examples.
https://msdn.microsoft.com/en-us/library/ms191153.aspx contains some
but the following is a bit unclear to me:
That should allow "MSSQLSvc/FQDN:SOMENAME" or it has to be
It would be nice to get some hints what we have to implement.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 836 bytes
Desc: OpenPGP digital signature
More information about the cifs-protocol