[cifs-protocol] [REG:117013115252666] Validated-Writes of servicePrincipalNames

Sreekanth Nadendla srenaden at microsoft.com
Tue Jan 31 22:44:36 UTC 2017


Hello Metze, I am back in office and I will resume my investigation. Please note that the incident number changed. This is just FYI.


Regards,
Sreekanth Nadendla
Microsoft Windows Open Specifications

-----Original Message-----
From: Stefan Metzmacher [mailto:metze at samba.org] 
Sent: Friday, January 13, 2017 9:19 AM
To: Sreekanth Nadendla; cifs-protocol at lists.samba.org
Cc: MSSolve Case Email
Subject: Re: [REG:116052814221908] Validated-Writes of servicePrincipalNames

Hi Sreekanth,

sorry for the long delay.

The difference I see is that you're doing this as administrator.

I'm talking about validated-writes done by an account on it's own computer object. And that's what [MS-ADTS] 3.1.1.5.3.1.1.4 servicePrincipalName about, also see the parent section 3.1.1.5.3.1.1 Validated Writes

Can you please continue your reserach on this?

Thanks!
metze

> Hello Stefan, simple tests at my end using a test domain controller shows that all of the following values are allowed by MS Windows domain controller. Before I propose any doc changes, can you confirm which domain controller you have used when you say "Testing against a Windows DC shows that **only** numeric characters are allowed after ':'" Did you mean to say the domain controller itself failed to add such SPN ? Or are you saying that it is the SQL Server that didn't find an SPN that has a nonnumeric character after ":"  ?
> 
> 
> 
> C:\Users\Administrator>setspn -A MSSQLSvc/myhost.379135DOM.LAB:1433   lvisser
> 
> C:\Users\Administrator>setspn -A MSSQLSvc/myhost.379135DOM.LAB:MYINST1   lvisser
> 
> C:\Users\Administrator>setspn -A MSSQLSvc/myhost.379135DOM.LAB/MYINST2   lvisser
> 
> C:\Users\Administrator>setspn -l lvisser
> 
> Registered ServicePrincipalNames for CN=lora visser,CN=Users,DC=379135DOM,DC=LAB:
> 
>         MSSQLSvc/myhost.379135DOM.LAB/MYINST2
>         MSSQLSvc/myhost.379135DOM.LAB:MYINST1
>         MSSQLSvc/myhost.379135DOM.LAB:1433
> 
> 
> You can even have MSSQLSvc/myhost.379135DOM.LAB:8989797/MYINST2
> 
> 
> But ultimately, If the SPN does not match the string as constructed by the Service i.e. SQL Server in this case, authentication will fail.



More information about the cifs-protocol mailing list