[cifs-protocol] [EXTERNAL] MS-CSSP: some notes on appendix <22> Section 2.2.1.2.3.1 - TrackingID#2106210040004166 - TrackingID#2106210040004026

Mike Bowen Mike.Bowen at microsoft.com
Mon Jun 21 16:23:57 UTC 2021


[BCC DocHelp]

Hi Isaac,

Thank you contacting Microsoft Open Specifications Support. Two cases have been created for this inquiry TrackingID#2106210040004166 and TrackingID#2106210040004026. Please leave the numbers in the subject line for reference. One of our team members will follow-up with you soon.

Best regards,
Mike Bowen  
Escalation Engineer - Microsoft Open Specifications
Mike.Bowen at microsoft.com 





-----Original Message-----
From: Isaac Boukris <iboukris at gmail.com> 
Sent: Monday, June 21, 2021 3:48 AM
To: Interoperability Documentation Help <dochelp at microsoft.com>; cifs-protocol at lists.samba.org
Subject: [EXTERNAL] MS-CSSP: some notes on appendix <22> Section 2.2.1.2.3.1

Hello dochelp!

While working on adding TSRemoteGuardCreds to wireshark's credssp dissector, I noticed that the NTLM_REMOTE_SUPPLEMENTAL_CREDENTIAL
struct in MS-CSSP appendix <22> Section 2.2.1.2.3.1 seems to be incorrect and the MSV1_0_CREDENTIAL_KEY actually comes before the MSV1_0_CREDENTIAL_KEY_TYPE.

It looks in fact quite like the below struct, could you amend it please.

typedef struct _MSV1_0_REMOTE_SUPPLEMENTAL_CREDENTIAL { ULONG Version; ULONG Flags; MSV1_0_CREDENTIAL_KEY CredentialKey; MSV1_0_CREDENTIAL_KEY_TYPE CredentialKeyType; ULONG EncryptedCredsSize; UCHAR EncryptedCreds[ANYSIZE_ARRAY]; } MSV1_0_REMOTE_SUPPLEMENTAL_CREDENTIAL,
*PMSV1_0_REMOTE_SUPPLEMENTAL_CREDENTIAL;

Also the appendix only defines the LM_PRESENT and NT_PRESENT as flags, while on the wire I only see CREDKEY_PRESENT, could you please update the relevant flags and their meaning or add a link to it.

As a last note; the appendix says that "The ServiceTicket member within the KERB_TICKET_LOGON structure is a ticket to the computer account. Windows CredSSP clients will use Kerberos User to User tickets ([RFC4120], section 2.9.2) as the ServiceTicket" - however from the packet capture it looks like although a U2U ticket is used for the authentication in the credssp exchange, the ServiceTicket in the KERB_TICKET_LOGON is a regular service ticket, which the Windows client fetches before fetching the U2U one.

You may find a packet capture including the keys on my draft MR
(TSRemoteGuardCreds.tgz):
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgitlab.com%2Fwireshark%2Fwireshark%2F-%2Fmerge_requests%2F3419&data=04%7C01%7CMike.Bowen%40microsoft.com%7Cf8c99c03a6af49eb74bd08d934a21594%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637598693022366535%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=ImKqMUPVwW0lILhq7psLq0kz9gAVzTSHz7RPtJKQY1I%3D&reserved=0

Thanks!



More information about the cifs-protocol mailing list