[cifs-protocol] [REG:116052814221908] Validated-Writes of servicePrincipalNames

Sreekanth Nadendla srenaden at microsoft.com
Sun May 29 01:21:38 UTC 2016

Hi Metze, I will be assisting you with your issue.


-----Original Message-----
From: Bryan Burgin 
Sent: Saturday, May 28, 2016 9:56 AM
To: Stefan Metzmacher <metze at samba.org>; cifs-protocol at lists.samba.org
Cc: MSSolve Case Email <casemail at microsoft.com>
Subject: [REG:116052814221908] Validated-Writes of servicePrincipalNames

[Dochelp to bcc]

Hi Metze

Thank you for your question.  We created SR 116052814221908 to track this issue.  An engineer will contact you soon.


-----Original Message-----
From: Stefan Metzmacher [mailto:metze at samba.org] 
Sent: Friday, May 27, 2016 9:57 AM
To: Interoperability Documentation Help <dochelp at microsoft.com>; cifs-protocol at lists.samba.org
Subject: Validated-Writes of servicePrincipalNames

Hi DocHelp,

we have seen client registering servicePrincipalNames like MSSQLSvc/YOURHOST.TESTDOMAIN.COM:SOPHOS.

We're rejecting them. As we didn't know about the :port part.
As MS-ADTS servicePrincipalName doesn't specify this optional part.

Testing against a Windows DC shows that only numeric characters are allowed after ':'. It seems it doesn't need to be a valid tcp/udp port number. It works with '99999'.

As I also found a number of google hits were people use things like:
MSSQLSvc/YOURHOST.TESTDOMAIN.COM:MSSQLSERVER2008 or others with non numeric :port parts.

Can update the MS-ADTS servicePrincipalName section to be more detailed with what is and what is not allowed, maybe together with some examples.

https://msdn.microsoft.com/en-us/library/ms191153.aspx contains some information, but the following is a bit unclear to me:


That should allow "MSSQLSvc/FQDN:SOMENAME" or it has to be


It would be nice to get some hints what we have to implement.


More information about the cifs-protocol mailing list