[cifs-protocol] [120012821001594] [MS-SFU]Errata from 2019/12/09 - if RBCD bit is set should KDC match in ServicesAllowedToReceiveForwardedTicketsFrom

Sreekanth Nadendla srenaden at microsoft.com
Thu Jan 30 21:48:16 UTC 2020 

Hi Isaac,
Product group confirms that this is the case in which the evidence ticket is not forwardable, i.e. the user is marked as sensitive and may not be delegated.  In that case, it doesn't matter whether the delegation would otherwise be allowed.


Regards,
Sreekanth Nadendla
Microsoft Windows Open Specifications

________________________________
From: Isaac Boukris <iboukris at gmail.com<mailto:iboukris at gmail.com>>
Sent: Tuesday, January 28, 2020 9:10 AM
To: Interoperability Documentation Help <dochelp at microsoft.com<mailto:dochelp at microsoft.com>>; Greg Hudson <ghudson at mit.edu<mailto:ghudson at mit.edu>>; cifs-protocol at lists.samba.org<mailto:cifs-protocol at lists.samba.org> <cifs-protocol at lists.samba.org<mailto:cifs-protocol at lists.samba.org>>
Subject: [EXTERNAL] Clarification request on recent errata of MS-SFU from 2019/12/09

Hello dochelp,

I noticed some changes to MS-SFU with regard to S4U2Proxy.
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fopenspecs%2Fwindows_protocols%2Fms-winerrata%2F68c4fd08-207c-4353-b59d-4d281edfb6bf&data=02%7C01%7CHungChun.Yu%40microsoft.com%7Ce12ab5b14189455d889c08d7a41528cd%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637158283089556045&sdata=j%2FAypN1BjcAbfUrMUwbfqMk41QXw4E2m3pUXMBN%2BAEI%3D&reserved=0<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fopenspecs%2Fwindows_protocols%2Fms-winerrata%2F68c4fd08-207c-4353-b59d-4d281edfb6bf&data=02%7C01%7Csrenaden%40microsoft.com%7C3f27c4046ddc4a034da508d7a41ed7eb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637158324691654419&sdata=PLSx1WB2MfLUXSzogEk3J9S3pkoN9HJZlzaCQh2c8XQ%3D&reserved=0>

The changes mostly makes sense, apart from the following new section
I'm having hard time with, quote:

If the service ticket in the additional-tickets field is not set to
forwardable<19> and the PA-PAC-OPTIONS [167] ([MS-KILE] section
2.2.10) padata type has the resource-based constrained delegation bit
set, then the KDC MUST return KRB-ERR-BADOPTION with STATUS_NO_MATCH.

Unquote.

If the RBCD bit is set, shouldn't the KDC try to match in
ServicesAllowedToReceiveForwardedTicketsFrom, as it follows in the
document ?

Thank you
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20200130/7db91bf6/attachment.htm>

More information about the cifs-protocol mailing list