[cifs-protocol] Kerberos Constrained-Delegation in RODC environment - TrackingID#2108090040003380

[Sreekanth Nadendla]

Hi Isaac, I will be providing an update soon. Thank you for your patience.

Regards,
Sreekanth Nadendla
Microsoft Windows Open Specifications


-----Original Message-----
From: Isaac Boukris <iboukris at gmail.com> 
Sent: Friday, August 27, 2021 5:08 AM
To: Michael Bowen <Mike.Bowen at microsoft.com>
Cc: cifs-protocol at lists.samba.org; Greg Hudson <ghudson at mit.edu>; Andrew Bartlett <abartlet at samba.org>; metze <metze at samba.org>; josephsutton at catalyst.net.nz; Mike Bowen <mibowe at microsoftsupport.com>
Subject: Re: [EXTERNAL] Kerberos Constrained-Delegation in RODC environment - TrackingID#2108090040003380

Hi again,

Any takers?

Thanks :)

On Tue, Aug 10, 2021 at 8:29 PM Mike Bowen <Mike.Bowen at microsoft.com> wrote:
>
> [BCC DocHelp]
>
> Hi Isaac,
>
> Thank you contacting Microsoft Open Specifications Support. A case with TrackingID#2108090040003380 has been created for this inquiry. Please leave the numbers in the subject line for reference. One of our team members will follow-up with you soon.
>
> Mike Bowen
> Escalation Engineer - Microsoft Open Specifications
>
> -----Original Message-----
> From: Isaac Boukris <iboukris at gmail.com>
> Sent: Tuesday, August 10, 2021 7:09 AM
> To: Interoperability Documentation Help <dochelp at microsoft.com>; cifs-protocol at lists.samba.org
> Cc: Greg Hudson <ghudson at mit.edu>; Andrew Bartlett <abartlet at samba.org>; metze <metze at samba.org>; josephsutton at catalyst.net.nz
> Subject: [EXTERNAL] Kerberos Constrained-Delegation in RODC environment
>
> Hello dochelp!
>
> I've been running some S4U tests in a RODC environment against fully updated Windows KDCs (supporting pac-ticket-signature). I noticed the following behavior when making a S4U2Proxy request to a RWDC, using a TGT and/or a 2nd ticket that was issued by a RODC (attached packet capture and keytab).
>
> TGT | 2nd-ticket | kdc | result
> rwdc | rwdc | rwdc | works
> rwdc | rodc | rwdc | err-modified?
> rodc | rwdc | rwdc | works!
> rodc | rodc | rwdc | works!
>
> You'd notice that test 3 and 4 both work, meaning the 2nd ticket can be issued by either a RWDC or a RODC, I guess the KDC checks the RODCIdentifier in the KDC PAC signatures (MS-PAC 2.8
> PAC_SIGNATURE_DATA) in order to know what key to use to to verify the signature, but it isn't clearly documented afaict.
>
> What I wonder about is test 2, this test uses a normal TGT with a 2nd ticket issued by a RODC, and we make the request against the RWDC, which knows the rodc-krbtgt_46673 key with which the pac-ticket was signed, so why does it fail with err-modified? Why is it worse than test 4 where both the TGT and the 2nd ticket were issued by RODC and it still works? And where is this error path documented (or should be)?
>
> Thanks!