[cifs-protocol] Kerberos Constrained-Delegation in RODC environment - TrackingID#2108090040003380
srenaden at microsoft.com
Tue Aug 31 21:29:22 UTC 2021
Hi Isaac, I will be providing an update soon. Thank you for your patience.
Microsoft Windows Open Specifications
From: Isaac Boukris <iboukris at gmail.com>
Sent: Friday, August 27, 2021 5:08 AM
To: Michael Bowen <Mike.Bowen at microsoft.com>
Cc: cifs-protocol at lists.samba.org; Greg Hudson <ghudson at mit.edu>; Andrew Bartlett <abartlet at samba.org>; metze <metze at samba.org>; josephsutton at catalyst.net.nz; Mike Bowen <mibowe at microsoftsupport.com>
Subject: Re: [EXTERNAL] Kerberos Constrained-Delegation in RODC environment - TrackingID#2108090040003380
On Tue, Aug 10, 2021 at 8:29 PM Mike Bowen <Mike.Bowen at microsoft.com> wrote:
> [BCC DocHelp]
> Hi Isaac,
> Thank you contacting Microsoft Open Specifications Support. A case with TrackingID#2108090040003380 has been created for this inquiry. Please leave the numbers in the subject line for reference. One of our team members will follow-up with you soon.
> Mike Bowen
> Escalation Engineer - Microsoft Open Specifications
> -----Original Message-----
> From: Isaac Boukris <iboukris at gmail.com>
> Sent: Tuesday, August 10, 2021 7:09 AM
> To: Interoperability Documentation Help <dochelp at microsoft.com>; cifs-protocol at lists.samba.org
> Cc: Greg Hudson <ghudson at mit.edu>; Andrew Bartlett <abartlet at samba.org>; metze <metze at samba.org>; josephsutton at catalyst.net.nz
> Subject: [EXTERNAL] Kerberos Constrained-Delegation in RODC environment
> Hello dochelp!
> I've been running some S4U tests in a RODC environment against fully updated Windows KDCs (supporting pac-ticket-signature). I noticed the following behavior when making a S4U2Proxy request to a RWDC, using a TGT and/or a 2nd ticket that was issued by a RODC (attached packet capture and keytab).
> TGT | 2nd-ticket | kdc | result
> rwdc | rwdc | rwdc | works
> rwdc | rodc | rwdc | err-modified?
> rodc | rwdc | rwdc | works!
> rodc | rodc | rwdc | works!
> You'd notice that test 3 and 4 both work, meaning the 2nd ticket can be issued by either a RWDC or a RODC, I guess the KDC checks the RODCIdentifier in the KDC PAC signatures (MS-PAC 2.8
> PAC_SIGNATURE_DATA) in order to know what key to use to to verify the signature, but it isn't clearly documented afaict.
> What I wonder about is test 2, this test uses a normal TGT with a 2nd ticket issued by a RODC, and we make the request against the RWDC, which knows the rodc-krbtgt_46673 key with which the pac-ticket was signed, so why does it fail with err-modified? Why is it worse than test 4 where both the TGT and the 2nd ticket were issued by RODC and it still works? And where is this error path documented (or should be)?
More information about the cifs-protocol