[cifs-protocol] [MS-SFU] Clarification about the ASN1 definition of PA_FOR_USER ASN1 [119051523001903]
Obaid Farooqi
obaidf at microsoft.com
Mon May 20 05:18:12 UTC 2019
Hi Isaac:
Thanks for pointing this to us. As you noted, PA-FOR-USER is only signed (and not encrypted). I have filed a bug to fix this issue.
Please let me know if this does not answer your question.
Also feel free to ask if you have any other question.
Regards,
Obaid Farooqi
Escalation Engineer | Microsoft
-----Original Message-----
From: Obaid Farooqi
Sent: Wednesday, May 15, 2019 11:52 AM
To: Isaac Boukris <iboukris at gmail.com>
Cc: cifs-protocol at lists.samba.org; Uri Simchoni <uri at samba.org>; Andrew Bartlett <abartlet at samba.org>; support <support at mail.support.microsoft.com>
Subject: RE: [MS-SFU] Clarification about the ASN1 definition of PA_FOR_USER ASN1
Hi Isaac:
I'll help you with this issue and will be in touch as soon as I have an answer.
Regards,
Obaid Farooqi
Escalation Engineer | Microsoft
Exceeding your expectations is my highest priority. If you would like to provide feedback on your case you may contact my manager at ramagane at Microsoft dot com
-----Original Message-----
From: Jeff McCashland <jeffm at microsoft.com>
Sent: Wednesday, May 15, 2019 10:47 AM
To: Isaac Boukris <iboukris at gmail.com>
Cc: cifs-protocol at lists.samba.org; Uri Simchoni <uri at samba.org>; Andrew Bartlett <abartlet at samba.org>; support <support at mail.support.microsoft.com>
Subject: RE: [MS-SFU] Clarification about the ASN1 definition of PA_FOR_USER ASN1
[DocHelp to BCC, support on CC, SR ID on Subject]
Hi Issac,
Thank you for your question. on Kerberos. We have created SR ID 119051523001903 to track this issue. One of our protocols engineers will respond soon.
Best regards,
Jeff McCashland | Senior Escalation Engineer | Microsoft Protocol Open Specifications Team
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada) Local country phone number found here: https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsupport.microsoft.com%2Fglobalenglish&data=01%7C01%7Cobaidf%40microsoft.com%7C72ef701121944a8894de08d6d94c868c%7C72f988bf86f141af91ab2d7cd011db47%7C1&sdata=2BSsu7o0ZHHwpYGhCgxg40wSXC%2F8IGe%2FcohWjpNMgng%3D&reserved=0 | Extension 1138300 We value your feedback. My manager is Jeremy Chapman (jeremyc), +1 (469) 775-2475
-----Original Message-----
From: Isaac Boukris <iboukris at gmail.com>
Sent: Wednesday, May 15, 2019 7:38 AM
To: Interoperability Documentation Help <dochelp at microsoft.com>
Cc: cifs-protocol at lists.samba.org; Uri Simchoni <uri at samba.org>; Andrew Bartlett <abartlet at samba.org>
Subject: [MS-SFU] Clarification about the ASN1 definition of PA_FOR_USER ASN1
Hello dochelp,
According to MS-SFU 2.2.1, the ASN1 definition of PA-FOR-USER is as follows:
padata-type ::= PA-FOR-USER
-- value 129
padata-value ::= EncryptedData
-- PA-FOR-USER-ENC
PA-FOR-USER-ENC ::= SEQUENCE {
userName[0] PrincipalName,
userRealm[1] Realm,
cksum[2] Checksum,
auth-package[3] KerberosString
}
This makes it sounds as if the padata content gets encrypted (EncryptedData), but as far as I know, no implementation - including Windows - encrypts this padata, and it is only protected by the checksum. Can you please clarify?
Thanks,
Isaac
More information about the cifs-protocol
mailing list