[cifs-protocol] [EXTERNAL] [MS-SFU] Clarify the new NonForwardableDelegation flag - TrackingID#2107090040004014

Jeff McCashland jeffm at microsoft.com
Mon Jul 26 22:45:27 UTC 2021


Hi Isaac,

I have gotten some clarification on the comment "When this protection if enabled, it unifies the logic for Resource-Based Constrained Delegation (RBCD) with the original constrained delegation.". 

RBCD was recently updated to ensure that everyone honors the ticket issuer's request to not allow delegation. What the comment means is that the secure RBCD logic will stay in place, and that NonForwardableDelegation is being added to be able to turn off forwarding. 

Best regards,
Jeff McCashland | Senior Escalation Engineer | Microsoft Protocol Open Specifications Team 
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada)
Local country phone number found here: http://support.microsoft.com/globalenglish | Extension 1138300
We value your feedback.  My manager is Natesha Morrison (namorri), +1 (704) 430-4292

-----Original Message-----
From: Jeff McCashland <jeffm at microsoft.com> 
Sent: Friday, July 9, 2021 9:55 AM
To: Isaac Boukris <iboukris at gmail.com>; cifs-protocol at lists.samba.org; Greg Hudson <ghudson at mit.edu>
Cc: Jeff McCashland <jeffm at microsoftsupport.com>
Subject: RE: [EXTERNAL] [MS-SFU] Clarify the new NonForwardableDelegation flag - TrackingID#2107090040004014

[DocHelp to BCC, support on CC, SR ID on Subject]

Hello Isaac,

Thank you for submitting your question. We have created SR 2107090040004014 to track this issue. One of our engineers will respond soon.

Best regards,
Jeff McCashland | Senior Escalation Engineer | Microsoft Protocol Open Specifications Team
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada) Local country phone number found here: https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsupport.microsoft.com%2Fglobalenglish&data=04%7C01%7Cjeffm%40microsoft.com%7C856b47940629440c480708d942fa53dc%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637614465202177395%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=FFMJ3rFh3fyK%2F6aS1NsH%2F6eN%2B5mLETjiVoxMy0zPG1E%3D&reserved=0 | Extension 1138300 We value your feedback.  My manager is Natesha Morrison (namorri), +1 (704) 430-4292

-----Original Message-----
From: Isaac Boukris <iboukris at gmail.com>
Sent: Friday, July 9, 2021 8:13 AM
To: Interoperability Documentation Help <dochelp at microsoft.com>; cifs-protocol at lists.samba.org; Greg Hudson <ghudson at mit.edu>
Subject: [EXTERNAL] [MS-SFU] Clarify the new NonForwardableDelegation flag

Hello dochelp!

I noticed this article [1] about CVE-2020-16996 where a new flag is introduced 'NonForwardableDelegation' in constrained-delegation protocol but couldn't find any update to MS-SFU on how this flag affects the protocol behavior. Can you please update the documentation and elaborate on this statement: "When this protection if enabled, it unifies the logic for Resource-Based Constrained Delegation (RBCD) with the original constrained delegation."

[1] https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Ftopic%2Fmanaging-deployment-of-rbcd-protected-user-changes-for-cve-2020-16996-9a59a49f-20b9-a292-f205-da9da0ff24d3&data=04%7C01%7Cjeffm%40microsoft.com%7C856b47940629440c480708d942fa53dc%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637614465202177395%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=6ugnCtarxXRndjECiSiASFFM4yHOiY7J4J8weTf7fww%3D&reserved=0

Thanks!



More information about the cifs-protocol mailing list