[cifs-protocol] [REG:116052814221908] Validated-Writes of servicePrincipalNames
bburgin at microsoft.com
Sat May 28 16:55:51 UTC 2016
[Dochelp to bcc]
Thank you for your question. We created SR 116052814221908 to track this issue. An engineer will contact you soon.
From: Stefan Metzmacher [mailto:metze at samba.org]
Sent: Friday, May 27, 2016 9:57 AM
To: Interoperability Documentation Help <dochelp at microsoft.com>; cifs-protocol at lists.samba.org
Subject: Validated-Writes of servicePrincipalNames
we have seen client registering servicePrincipalNames like MSSQLSvc/YOURHOST.TESTDOMAIN.COM:SOPHOS.
We're rejecting them. As we didn't know about the :port part.
As MS-ADTS 126.96.36.199.188.8.131.52 servicePrincipalName doesn't specify this optional part.
Testing against a Windows DC shows that only numeric characters are allowed after ':'. It seems it doesn't need to be a valid tcp/udp port number. It works with '99999'.
As I also found a number of google hits were people use things like:
MSSQLSvc/YOURHOST.TESTDOMAIN.COM:MSSQLSERVER2008 or others with non numeric :port parts.
Can update the MS-ADTS 184.108.40.206.220.127.116.11 servicePrincipalName section to be more detailed with what is and what is not allowed, maybe together with some examples.
https://msdn.microsoft.com/en-us/library/ms191153.aspx contains some information, but the following is a bit unclear to me:
That should allow "MSSQLSvc/FQDN:SOMENAME" or it has to be
It would be nice to get some hints what we have to implement.
More information about the cifs-protocol