[cifs-protocol] MS-KILE | Handling of more than one AD-IF-RELEVANT in Windows
Isaac Boukris
iboukris at gmail.com
Wed Apr 22 12:21:25 UTC 2020
Hello dochelp,
>From many tests involving MS-PAC authorization data in a ticket, and
recently by testing authorization-data in the authenticator (ap-req),
it appears as if Windows would only handle the first AD-IF-RELEVANT
element (RFC4120), and would ignore additional ones when present.
So if for instance a ticket has more than one AD-IF-RELEVANT element
and the PAC is wrapped in the second one, the server fails to handle
the request. Same goes for KERB_AP_OPTIONS_CBT in authenticator, I can
see that it is not handled when it is wrapped in a second
AD-IF-RELEVANT.
I wonder if this understanding is correct, if it is a known issue, if
it is documented anywhere, and whether this is planned to be fixed in
future versions of Windows.
Thanks!
More information about the cifs-protocol
mailing list