[cifs-protocol] [REG:120042221001608] MS-KILE | Handling of more than one AD-IF-RELEVANT in Windows

Bryan Burgin bburgin at microsoft.com
Wed Apr 22 16:02:33 UTC 2020

Hi Isaac,

Thank you for your question.  We created SR 120042221001608 to track this issue.  An engineer will contact you soon.


-----Original Message-----
From: Isaac Boukris <iboukris at gmail.com> 
Sent: Wednesday, April 22, 2020 5:21 AM
To: Interoperability Documentation Help <dochelp at microsoft.com>; Greg Hudson <ghudson at mit.edu>; Stefan Metzmacher <metze at samba.org>; Andrew Bartlett <abartlet at samba.org>; cifs-protocol at lists.samba.org
Subject: [EXTERNAL] MS-KILE | Handling of more than one AD-IF-RELEVANT in Windows

Hello dochelp,

From many tests involving MS-PAC authorization data in a ticket, and recently by testing authorization-data in the authenticator (ap-req), it appears as if Windows would only handle the first AD-IF-RELEVANT element (RFC4120), and would ignore additional ones when present.

So if for instance a ticket has more than one AD-IF-RELEVANT element and the PAC is wrapped in the second one, the server fails to handle the request. Same goes for KERB_AP_OPTIONS_CBT in authenticator, I can see that it is not handled when it is wrapped in a second AD-IF-RELEVANT.

I wonder if this understanding is correct, if it is a known issue, if it is documented anywhere, and whether this is planned to be fixed in future versions of Windows.


More information about the cifs-protocol mailing list