[cifs-protocol] [MS-SFU] Clarification about the ASN1 definition of PA_FOR_USER ASN1 [119051523001903]

Mon May 20 07:32:35 UTC 2019

Thanks Obaid for clarifying this, it answered the question for me.

Regards.

On Mon, May 20, 2019 at 7:18 AM Obaid Farooqi <obaidf at microsoft.com> wrote:

> Hi Isaac:
> Thanks for pointing this to us. As you noted, PA-FOR-USER is only signed
> (and not encrypted). I have filed a bug to fix this issue.
>
> Please let me know if this does not answer your question.
> Also feel free to ask if you have any other question.
>
> Regards,
> Obaid Farooqi
> Escalation Engineer | Microsoft
>
> -----Original Message-----
> From: Obaid Farooqi
> Sent: Wednesday, May 15, 2019 11:52 AM
> To: Isaac Boukris <iboukris at gmail.com>
> Cc: cifs-protocol at lists.samba.org; Uri Simchoni <uri at samba.org>; Andrew
> Bartlett <abartlet at samba.org>; support <support at mail.support.microsoft.com
> >
> Subject: RE: [MS-SFU] Clarification about the ASN1 definition of
> PA_FOR_USER ASN1
>
> Hi Isaac:
> I'll help you with this issue and will be in touch as soon as I have an
> answer.
>
> Regards,
> Obaid Farooqi
> Escalation Engineer | Microsoft
>
> Exceeding your expectations is my highest priority.  If you would like to
> provide feedback on your case you may contact my manager at ramagane at
> Microsoft dot com
>
> -----Original Message-----
> From: Jeff McCashland <jeffm at microsoft.com>
> Sent: Wednesday, May 15, 2019 10:47 AM
> To: Isaac Boukris <iboukris at gmail.com>
> Cc: cifs-protocol at lists.samba.org; Uri Simchoni <uri at samba.org>; Andrew
> Bartlett <abartlet at samba.org>; support <support at mail.support.microsoft.com
> >
> Subject: RE: [MS-SFU] Clarification about the ASN1 definition of
> PA_FOR_USER ASN1
>
> [DocHelp to BCC, support on CC, SR ID on Subject]
>
> Hi Issac,
>
> Thank you for your question. on Kerberos. We have created SR ID
> 119051523001903 to track this issue. One of our protocols engineers will
> respond soon.
>
> Best regards,
> Jeff McCashland | Senior Escalation Engineer | Microsoft Protocol Open
> Specifications Team
> Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00)
> Pacific Time (US and Canada) Local country phone number found here:
> https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsupport.microsoft.com%2Fglobalenglish&data=01%7C01%7Cobaidf%40microsoft.com%7C72ef701121944a8894de08d6d94c868c%7C72f988bf86f141af91ab2d7cd011db47%7C1&sdata=2BSsu7o0ZHHwpYGhCgxg40wSXC%2F8IGe%2FcohWjpNMgng%3D&reserved=0
> | Extension 1138300 We value your feedback.  My manager is Jeremy Chapman
> (jeremyc), +1 (469) 775-2475
>
> -----Original Message-----
> From: Isaac Boukris <iboukris at gmail.com>
> Sent: Wednesday, May 15, 2019 7:38 AM
> To: Interoperability Documentation Help <dochelp at microsoft.com>
> Cc: cifs-protocol at lists.samba.org; Uri Simchoni <uri at samba.org>; Andrew
> Bartlett <abartlet at samba.org>
> Subject: [MS-SFU] Clarification about the ASN1 definition of PA_FOR_USER
> ASN1
>
> Hello dochelp,
>
> According to MS-SFU 2.2.1, the ASN1 definition of PA-FOR-USER is as
> follows:
>
> padata-type    ::= PA-FOR-USER
>         -- value 129
>  padata-value   ::= EncryptedData
>                       -- PA-FOR-USER-ENC
>
>  PA-FOR-USER-ENC ::= SEQUENCE {
>     userName[0] PrincipalName,
>     userRealm[1] Realm,
>     cksum[2] Checksum,
>     auth-package[3] KerberosString
>  }
>
> This makes it sounds as if the padata content gets encrypted
> (EncryptedData), but as far as I know, no implementation - including
> Windows - encrypts this padata, and it is only protected by the checksum.
> Can you please clarify?
>
> Thanks,
> Isaac
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20190520/cf4df4b9/attachment.html>