[cifs-protocol] MS-KILE | Handling of more than one AD-IF-RELEVANT in Windows

Isaac Boukris iboukris at gmail.com
Wed Apr 22 12:21:25 UTC 2020

Hello dochelp,

>From many tests involving MS-PAC authorization data in a ticket, and
recently by testing authorization-data in the authenticator (ap-req),
it appears as if Windows would only handle the first AD-IF-RELEVANT
element (RFC4120), and would ignore additional ones when present.

So if for instance a ticket has more than one AD-IF-RELEVANT element
and the PAC is wrapped in the second one, the server fails to handle
the request. Same goes for KERB_AP_OPTIONS_CBT in authenticator, I can
see that it is not handled when it is wrapped in a second

I wonder if this understanding is correct, if it is a known issue, if
it is documented anywhere, and whether this is planned to be fixed in
future versions of Windows.


More information about the cifs-protocol mailing list