[cifs-protocol] [EXTERNAL] Kerberos Constrained-Delegation in RODC environment - TrackingID#2108090040003380

Mike Bowen Mike.Bowen at microsoft.com
Tue Aug 10 17:29:04 UTC 2021

[BCC DocHelp]

Hi Isaac,

Thank you contacting Microsoft Open Specifications Support. A case with TrackingID#2108090040003380 has been created for this inquiry. Please leave the numbers in the subject line for reference. One of our team members will follow-up with you soon.

Mike Bowen
Escalation Engineer - Microsoft Open Specifications

-----Original Message-----
From: Isaac Boukris <iboukris at gmail.com> 
Sent: Tuesday, August 10, 2021 7:09 AM
To: Interoperability Documentation Help <dochelp at microsoft.com>; cifs-protocol at lists.samba.org
Cc: Greg Hudson <ghudson at mit.edu>; Andrew Bartlett <abartlet at samba.org>; metze <metze at samba.org>; josephsutton at catalyst.net.nz
Subject: [EXTERNAL] Kerberos Constrained-Delegation in RODC environment

Hello dochelp!

I've been running some S4U tests in a RODC environment against fully updated Windows KDCs (supporting pac-ticket-signature). I noticed the following behavior when making a S4U2Proxy request to a RWDC, using a TGT and/or a 2nd ticket that was issued by a RODC (attached packet capture and keytab).

TGT | 2nd-ticket | kdc | result
rwdc | rwdc | rwdc | works
rwdc | rodc | rwdc | err-modified?
rodc | rwdc | rwdc | works!
rodc | rodc | rwdc | works!

You'd notice that test 3 and 4 both work, meaning the 2nd ticket can be issued by either a RWDC or a RODC, I guess the KDC checks the RODCIdentifier in the KDC PAC signatures (MS-PAC 2.8
PAC_SIGNATURE_DATA) in order to know what key to use to to verify the signature, but it isn't clearly documented afaict.

What I wonder about is test 2, this test uses a normal TGT with a 2nd ticket issued by a RODC, and we make the request against the RWDC, which knows the rodc-krbtgt_46673 key with which the pac-ticket was signed, so why does it fail with err-modified? Why is it worse than test 4 where both the TGT and the 2nd ticket were issued by RODC and it still works? And where is this error path documented (or should be)?


More information about the cifs-protocol mailing list