[cifs-protocol] [EXTERNAL] MS-PAC: Constrained Delegation Information - TrackingID#2111290040007908

Jeff McCashland (He/him) jeffm at microsoft.com
Wed Dec 8 16:29:40 UTC 2021 

Hi Andreas,

I have done some digging into this, and also discussed it with our PAC team. 

It does not appear that there are any undocumented constraints on these values. There are no formatting requirements at all for S4UTransitedServices, which are just used for auditing. S4U2proxyTarget can be any valid format for a security principal, but the caller should be consistent in the form used for each step. It doesn't necessarily need to be an SPN. 

Please let me know if this does not fully resolve your issue. 

Best regards,
Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Protocol Open Specifications Team 
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada)
Local country phone number found here: http://support.microsoft.com/globalenglish | Extension 1138300
We value your feedback.  My manager is Natesha Morrison (namorri), +1 (704) 430-4292

-----Original Message-----
From: Jeff McCashland (he/him) 
Sent: Wednesday, December 1, 2021 10:57 AM
To: Andreas Schneider <asn at samba.org>
Cc: cifs-protocol at lists.samba.org; jeffm at microsoftsupport.com
Subject: RE: [EXTERNAL] MS-PAC: Constrained Delegation Information - TrackingID#2111290040007908

Hi Andreas,

Do you have a means of generating the S4U_DELEGATION_INFO structure on the wire to see how Windows fills it in? If so, can you provide a net trace? 

Best regards,
Jeff McCashland | Senior Escalation Engineer | Microsoft Protocol Open Specifications Team
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada) Local country phone number found here: http://support.microsoft.com/globalenglish | Extension 1138300 We value your feedback.  My manager is Natesha Morrison (namorri), +1 (704) 430-4292

-----Original Message-----
From: Jeff McCashland (HE/HIM/THEY/THEM)
Sent: Monday, November 29, 2021 11:36 AM
To: Andreas Schneider <asn at samba.org>
Cc: cifs-protocol at lists.samba.org; jeffm at microsoftsupport.com
Subject: RE: [EXTERNAL] MS-PAC: Constrained Delegation Information - TrackingID#2111290040007908

[Mike to BCC]

Hi Andreas,

I will research your question and let you know what I find. 

Best regards,
Jeff McCashland | Senior Escalation Engineer | Microsoft Protocol Open Specifications Team
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada) Local country phone number found here: http://support.microsoft.com/globalenglish | Extension 1138300 We value your feedback.  My manager is Natesha Morrison (namorri), +1 (704) 430-4292

-----Original Message-----
From: Michael Bowen <Mike.Bowen at microsoft.com>
Sent: Monday, November 29, 2021 9:24 AM
To: Andreas Schneider <asn at samba.org>
Cc: cifs-protocol at lists.samba.org; Mike Bowen <mibowe at microsoftsupport.com>
Subject: RE: [EXTERNAL] MS-PAC: Constrained Delegation Information - TrackingID#2111290040007908

[DocHelp to bcc]

Hi Andreas,

Thank you for contacting Microsoft Open Specifications Support. We created SR case TrackingID#2111290040007908 to track the issue. Please leave this case number in the subject line for future reference.

One of our engineers will contact you shortly.

Mike Bowen
Escalation Engineer - Microsoft Open Specifications

-----Original Message-----
From: Andreas Schneider <asn at samba.org>
Sent: Monday, November 29, 2021 1:16 AM
To: Interoperability Documentation Help <dochelp at microsoft.com>
Cc: cifs-protocol at lists.samba.org
Subject: [EXTERNAL] MS-PAC: Constrained Delegation Information

Hello dochelp,

I have some requests for clarification for:

=== snip ===

2.9 Constrained Delegation Information

The S4U_DELEGATION_INFO structure lists the services that have been delegated through this Kerberos client and subsequent services or servers. The list is used only in a Service for User to Proxy (S4U2proxy) [MS-SFU] request. This feature could be used multiple times in succession from service to service, which is useful for auditing purposes.<18> The S4U_DELEGATION_INFO structure is marshaled by RPC [MS-RPCE].

typedef struct _S4U_DELEGATION_INFO {
RPC_UNICODE_STRING S4U2proxyTarget;
ULONG TransitedListSize;
[size_is(TransitedListSize)] PRPC_UNICODE_STRING S4UTransitedServices; } S4U_DELEGATION_INFO, *PS4U_DELEGATION_INFO;

S4U2proxyTarget: An RPC_UNICODE_STRING structure that MUST contain the name of the principal to whom the application can forward the ticket.

TransitedListSize: MUST be the number of elements in the S4UTransitedServices array.

S4UTransitedServices: MUST contain the list of all services that have been delegated through by this client and subsequent services or servers.

=== /snip ===

The S4U2proxyTarget seems to be expected to be a service principal name (SPN) without the realm part (host/<servername>). Is that correct? Does the format matter or can it be also <servername>$.

S4UTransitedServices seems to expect a list of SPNs (<service>/ <servername>@<realm<). Does this need to be host/<servername>@<realm> or can it also be in the for <servername>$@<realm>?

Thank you very much for your assistance.


Best regards


        Andreas


--
Andreas Schneider                      asn at samba.org
Samba Team                             https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.samba.org%2F&data=04%7C01%7Cjeffm%40microsoft.com%7C3ebbbb780e6a4a6213e908d9b35d110a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637738034578928455%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=slIoX95j1bAEhikDdSQYTWGX6SmXYHrxcwrs1egzvTs%3D&reserved=0
GPG-ID:     8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D

More information about the cifs-protocol mailing list