[cifs-protocol] [MS-SFU] Clarification about the ASN1 definition of PA_FOR_USER ASN1

Jeff McCashland jeffm at microsoft.com
Wed May 15 15:46:37 UTC 2019

[DocHelp to BCC, support on CC, SR ID on Subject]

Hi Issac,

Thank you for your question. on Kerberos. We have created SR ID 119051523001903 to track this issue. One of our protocols engineers will respond soon. 

Best regards,
Jeff McCashland | Senior Escalation Engineer | Microsoft Protocol Open Specifications Team 
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada)
Local country phone number found here: http://support.microsoft.com/globalenglish | Extension 1138300
We value your feedback.  My manager is Jeremy Chapman (jeremyc), +1 (469) 775-2475

-----Original Message-----
From: Isaac Boukris <iboukris at gmail.com> 
Sent: Wednesday, May 15, 2019 7:38 AM
To: Interoperability Documentation Help <dochelp at microsoft.com>
Cc: cifs-protocol at lists.samba.org; Uri Simchoni <uri at samba.org>; Andrew Bartlett <abartlet at samba.org>
Subject: [MS-SFU] Clarification about the ASN1 definition of PA_FOR_USER ASN1

Hello dochelp,

According to MS-SFU 2.2.1, the ASN1 definition of PA-FOR-USER is as follows:

padata-type    ::= PA-FOR-USER
        -- value 129
 padata-value   ::= EncryptedData
                      -- PA-FOR-USER-ENC

    userName[0] PrincipalName,
    userRealm[1] Realm,
    cksum[2] Checksum,
    auth-package[3] KerberosString

This makes it sounds as if the padata content gets encrypted (EncryptedData), but as far as I know, no implementation - including Windows - encrypts this padata, and it is only protected by the checksum. Can you please clarify?


More information about the cifs-protocol mailing list