[cifs-protocol] [REG:120042221001608] MS-KILE | Handling of more than one AD-IF-RELEVANT in Windows

Jeff McCashland jeffm at microsoft.com
Wed Apr 22 20:08:31 UTC 2020 

[Bryan to BCC]

Hi Isaac,

I will assist you with this issue. Let me do some research and get back to you. 

Best regards,
Jeff McCashland | Senior Escalation Engineer | Microsoft Protocol Open Specifications Team 
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada)
Local country phone number found here: http://support.microsoft.com/globalenglish | Extension 1138300
We value your feedback.  My manager is Jeremy Chapman (jeremyc), +1 (469) 775-2475

-----Original Message-----
From: Bryan Burgin <bburgin at microsoft.com> 
Sent: Wednesday, April 22, 2020 9:03 AM
To: Isaac Boukris <iboukris at gmail.com>; Greg Hudson <ghudson at mit.edu>; Stefan Metzmacher <metze at samba.org>; Andrew Bartlett <abartlet at samba.org>; cifs-protocol at lists.samba.org
Cc: support <support at mail.support.microsoft.com>
Subject: [REG:120042221001608] MS-KILE | Handling of more than one AD-IF-RELEVANT in Windows

Hi Isaac,

Thank you for your question.  We created SR 120042221001608 to track this issue.  An engineer will contact you soon.

Bryan

-----Original Message-----
From: Isaac Boukris <iboukris at gmail.com> 
Sent: Wednesday, April 22, 2020 5:21 AM
To: Interoperability Documentation Help <dochelp at microsoft.com>; Greg Hudson <ghudson at mit.edu>; Stefan Metzmacher <metze at samba.org>; Andrew Bartlett <abartlet at samba.org>; cifs-protocol at lists.samba.org
Subject: [EXTERNAL] MS-KILE | Handling of more than one AD-IF-RELEVANT in Windows

Hello dochelp,

From many tests involving MS-PAC authorization data in a ticket, and recently by testing authorization-data in the authenticator (ap-req), it appears as if Windows would only handle the first AD-IF-RELEVANT element (RFC4120), and would ignore additional ones when present.

So if for instance a ticket has more than one AD-IF-RELEVANT element and the PAC is wrapped in the second one, the server fails to handle the request. Same goes for KERB_AP_OPTIONS_CBT in authenticator, I can see that it is not handled when it is wrapped in a second AD-IF-RELEVANT.

I wonder if this understanding is correct, if it is a known issue, if it is documented anywhere, and whether this is planned to be fixed in future versions of Windows.

Thanks!

More information about the cifs-protocol mailing list