[cifs-protocol] [EXTERNAL] Kerberos Constrained-Delegation in RODC environment - TrackingID#2108090040003380

Isaac Boukris iboukris at gmail.com
Fri Aug 27 12:08:16 UTC 2021

Hi again,

Any takers?

Thanks :)

On Tue, Aug 10, 2021 at 8:29 PM Mike Bowen <Mike.Bowen at microsoft.com> wrote:
> [BCC DocHelp]
> Hi Isaac,
> Thank you contacting Microsoft Open Specifications Support. A case with TrackingID#2108090040003380 has been created for this inquiry. Please leave the numbers in the subject line for reference. One of our team members will follow-up with you soon.
> Mike Bowen
> Escalation Engineer - Microsoft Open Specifications
> -----Original Message-----
> From: Isaac Boukris <iboukris at gmail.com>
> Sent: Tuesday, August 10, 2021 7:09 AM
> To: Interoperability Documentation Help <dochelp at microsoft.com>; cifs-protocol at lists.samba.org
> Cc: Greg Hudson <ghudson at mit.edu>; Andrew Bartlett <abartlet at samba.org>; metze <metze at samba.org>; josephsutton at catalyst.net.nz
> Subject: [EXTERNAL] Kerberos Constrained-Delegation in RODC environment
> Hello dochelp!
> I've been running some S4U tests in a RODC environment against fully updated Windows KDCs (supporting pac-ticket-signature). I noticed the following behavior when making a S4U2Proxy request to a RWDC, using a TGT and/or a 2nd ticket that was issued by a RODC (attached packet capture and keytab).
> TGT | 2nd-ticket | kdc | result
> rwdc | rwdc | rwdc | works
> rwdc | rodc | rwdc | err-modified?
> rodc | rwdc | rwdc | works!
> rodc | rodc | rwdc | works!
> You'd notice that test 3 and 4 both work, meaning the 2nd ticket can be issued by either a RWDC or a RODC, I guess the KDC checks the RODCIdentifier in the KDC PAC signatures (MS-PAC 2.8
> PAC_SIGNATURE_DATA) in order to know what key to use to to verify the signature, but it isn't clearly documented afaict.
> What I wonder about is test 2, this test uses a normal TGT with a 2nd ticket issued by a RODC, and we make the request against the RWDC, which knows the rodc-krbtgt_46673 key with which the pac-ticket was signed, so why does it fail with err-modified? Why is it worse than test 4 where both the TGT and the 2nd ticket were issued by RODC and it still works? And where is this error path documented (or should be)?
> Thanks!

More information about the cifs-protocol mailing list