[cifs-protocol] [REG:120042221001608] MS-KILE | Handling of more than one AD-IF-RELEVANT in Windows
Bryan Burgin
bburgin at microsoft.com
Wed Apr 22 16:02:33 UTC 2020
Hi Isaac,
Thank you for your question. We created SR 120042221001608 to track this issue. An engineer will contact you soon.
Bryan
-----Original Message-----
From: Isaac Boukris <iboukris at gmail.com>
Sent: Wednesday, April 22, 2020 5:21 AM
To: Interoperability Documentation Help <dochelp at microsoft.com>; Greg Hudson <ghudson at mit.edu>; Stefan Metzmacher <metze at samba.org>; Andrew Bartlett <abartlet at samba.org>; cifs-protocol at lists.samba.org
Subject: [EXTERNAL] MS-KILE | Handling of more than one AD-IF-RELEVANT in Windows
Hello dochelp,
From many tests involving MS-PAC authorization data in a ticket, and recently by testing authorization-data in the authenticator (ap-req), it appears as if Windows would only handle the first AD-IF-RELEVANT element (RFC4120), and would ignore additional ones when present.
So if for instance a ticket has more than one AD-IF-RELEVANT element and the PAC is wrapped in the second one, the server fails to handle the request. Same goes for KERB_AP_OPTIONS_CBT in authenticator, I can see that it is not handled when it is wrapped in a second AD-IF-RELEVANT.
I wonder if this understanding is correct, if it is a known issue, if it is documented anywhere, and whether this is planned to be fixed in future versions of Windows.
Thanks!
More information about the cifs-protocol
mailing list