[cifs-protocol]  [MS-SFU]Errata from 2019/12/09 - if RBCD bit is set should KDC match in ServicesAllowedToReceiveForwardedTicketsFrom
srenaden at microsoft.com
Tue Jan 28 21:07:08 UTC 2020
Hello Isaac, I'm researching this issue for you. I will provide you with an update as soon as I have some details to share with you.
Microsoft Windows Open Specifications
From: Isaac Boukris <iboukris at gmail.com<mailto:iboukris at gmail.com>>
Sent: Tuesday, January 28, 2020 9:10 AM
To: Interoperability Documentation Help <dochelp at microsoft.com<mailto:dochelp at microsoft.com>>; Greg Hudson <ghudson at mit.edu<mailto:ghudson at mit.edu>>; cifs-protocol at lists.samba.org<mailto:cifs-protocol at lists.samba.org> <cifs-protocol at lists.samba.org<mailto:cifs-protocol at lists.samba.org>>
Subject: [EXTERNAL] Clarification request on recent errata of MS-SFU from 2019/12/09
I noticed some changes to MS-SFU with regard to S4U2Proxy.
The changes mostly makes sense, apart from the following new section
I'm having hard time with, quote:
If the service ticket in the additional-tickets field is not set to
forwardable<19> and the PA-PAC-OPTIONS  ([MS-KILE] section
2.2.10) padata type has the resource-based constrained delegation bit
set, then the KDC MUST return KRB-ERR-BADOPTION with STATUS_NO_MATCH.
If the RBCD bit is set, shouldn't the KDC try to match in
ServicesAllowedToReceiveForwardedTicketsFrom, as it follows in the
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the cifs-protocol