[cifs-protocol] [REG:116052814221908] Validated-Writes of servicePrincipalNames

Bryan Burgin bburgin at microsoft.com
Sat May 28 16:55:51 UTC 2016


[Dochelp to bcc]
[+Casemail]

Hi Metze

Thank you for your question.  We created SR 116052814221908 to track this issue.  An engineer will contact you soon.

Bryan

-----Original Message-----
From: Stefan Metzmacher [mailto:metze at samba.org] 
Sent: Friday, May 27, 2016 9:57 AM
To: Interoperability Documentation Help <dochelp at microsoft.com>; cifs-protocol at lists.samba.org
Subject: Validated-Writes of servicePrincipalNames

Hi DocHelp,

we have seen client registering servicePrincipalNames like MSSQLSvc/YOURHOST.TESTDOMAIN.COM:SOPHOS.

We're rejecting them. As we didn't know about the :port part.
As MS-ADTS 3.1.1.5.3.1.1.4 servicePrincipalName doesn't specify this optional part.

Testing against a Windows DC shows that only numeric characters are allowed after ':'. It seems it doesn't need to be a valid tcp/udp port number. It works with '99999'.

As I also found a number of google hits were people use things like:
MSSQLSvc/YOURHOST.TESTDOMAIN.COM:MSSQLSERVER2008 or others with non numeric :port parts.

Can update the MS-ADTS 3.1.1.5.3.1.1.4 servicePrincipalName section to be more detailed with what is and what is not allowed, maybe together with some examples.

https://msdn.microsoft.com/en-us/library/ms191153.aspx contains some information, but the following is a bit unclear to me:

  MSSQLSvc/FQDN:[port|instancename]

That should allow "MSSQLSvc/FQDN:SOMENAME" or it has to be

  MSSQLSvc/FQDN[:port][/instancename]
or
  MSSQLSvc/FQDN[:port|/instancename]

It would be nice to get some hints what we have to implement.

Thanks!
metze



More information about the cifs-protocol mailing list