[cifs-protocol]  [MS-SFU]Errata from 2019/12/09 - if RBCD bit is set should KDC match in ServicesAllowedToReceiveForwardedTicketsFrom
HungChun.Yu at microsoft.com
Tue Jan 28 18:21:05 UTC 2020
Thank you for your question. We created SR 120012821001594 and please leave this info in the subject line to track your issue. An engineer will contact you soon.
Microsoft Protocols Support
From: Isaac Boukris <iboukris at gmail.com>
Sent: Tuesday, January 28, 2020 9:10 AM
To: Interoperability Documentation Help <dochelp at microsoft.com>; Greg Hudson <ghudson at mit.edu>; cifs-protocol at lists.samba.org <cifs-protocol at lists.samba.org>
Subject: [EXTERNAL] Clarification request on recent errata of MS-SFU from 2019/12/09
I noticed some changes to MS-SFU with regard to S4U2Proxy.
The changes mostly makes sense, apart from the following new section
I'm having hard time with, quote:
If the service ticket in the additional-tickets field is not set to
forwardable<19> and the PA-PAC-OPTIONS  ([MS-KILE] section
2.2.10) padata type has the resource-based constrained delegation bit
set, then the KDC MUST return KRB-ERR-BADOPTION with STATUS_NO_MATCH.
If the RBCD bit is set, shouldn't the KDC try to match in
ServicesAllowedToReceiveForwardedTicketsFrom, as it follows in the
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the cifs-protocol