[cifs-protocol] [MS-SFU] Clarification about the ASN1 definition of PA_FOR_USER ASN1

Obaid Farooqi obaidf at microsoft.com
Wed May 15 16:52:21 UTC 2019 

Hi Isaac:
I'll help you with this issue and will be in touch as soon as I have an answer.

Regards,
Obaid Farooqi
Escalation Engineer | Microsoft

Exceeding your expectations is my highest priority.  If you would like to provide feedback on your case you may contact my manager at ramagane at Microsoft dot com

-----Original Message-----
From: Jeff McCashland <jeffm at microsoft.com> 
Sent: Wednesday, May 15, 2019 10:47 AM
To: Isaac Boukris <iboukris at gmail.com>
Cc: cifs-protocol at lists.samba.org; Uri Simchoni <uri at samba.org>; Andrew Bartlett <abartlet at samba.org>; support <support at mail.support.microsoft.com>
Subject: RE: [MS-SFU] Clarification about the ASN1 definition of PA_FOR_USER ASN1

[DocHelp to BCC, support on CC, SR ID on Subject]

Hi Issac,

Thank you for your question. on Kerberos. We have created SR ID 119051523001903 to track this issue. One of our protocols engineers will respond soon.

Best regards,
Jeff McCashland | Senior Escalation Engineer | Microsoft Protocol Open Specifications Team
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada) Local country phone number found here: https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsupport.microsoft.com%2Fglobalenglish&data=01%7C01%7Cobaidf%40microsoft.com%7C72ef701121944a8894de08d6d94c868c%7C72f988bf86f141af91ab2d7cd011db47%7C1&sdata=2BSsu7o0ZHHwpYGhCgxg40wSXC%2F8IGe%2FcohWjpNMgng%3D&reserved=0 | Extension 1138300 We value your feedback.  My manager is Jeremy Chapman (jeremyc), +1 (469) 775-2475

-----Original Message-----
From: Isaac Boukris <iboukris at gmail.com>
Sent: Wednesday, May 15, 2019 7:38 AM
To: Interoperability Documentation Help <dochelp at microsoft.com>
Cc: cifs-protocol at lists.samba.org; Uri Simchoni <uri at samba.org>; Andrew Bartlett <abartlet at samba.org>
Subject: [MS-SFU] Clarification about the ASN1 definition of PA_FOR_USER ASN1

Hello dochelp,

According to MS-SFU 2.2.1, the ASN1 definition of PA-FOR-USER is as follows:

padata-type    ::= PA-FOR-USER
        -- value 129
 padata-value   ::= EncryptedData
                      -- PA-FOR-USER-ENC

 PA-FOR-USER-ENC ::= SEQUENCE {
    userName[0] PrincipalName,
    userRealm[1] Realm,
    cksum[2] Checksum,
    auth-package[3] KerberosString
 }

This makes it sounds as if the padata content gets encrypted (EncryptedData), but as far as I know, no implementation - including Windows - encrypts this padata, and it is only protected by the checksum. Can you please clarify?

Thanks,
Isaac

More information about the cifs-protocol mailing list