[cifs-protocol] [EXTERNAL] MS-CSSP: some notes on appendix <22> Section - TrackingID#2106210040004026

Jeff McCashland jeffm at microsoft.com
Mon Jun 21 17:37:30 UTC 2021

[Mike to BCC]

Hi Isaac,

I altered the Subject line to branch this to a separate email thread for your notes on [MS-CSSP] Windows Behavior Note <22> for section (SR 2106210040004026). I will not be addressing the point about the ServiceTicket in this case/thread, just the supplemental creds structure and flags. 

I will investigate the issues with this note, and let you know what I find. 

Best regards,
Jeff McCashland | Senior Escalation Engineer | Microsoft Protocol Open Specifications Team 
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada)
Local country phone number found here: http://support.microsoft.com/globalenglish | Extension 1138300
We value your feedback.  My manager is Natesha Morrison (namorri), +1 (704) 430-4292

-----Original Message-----
From: Mike Bowen <Mike.Bowen at microsoft.com> 
Sent: Monday, June 21, 2021 9:24 AM
To: Isaac Boukris <iboukris at gmail.com>; cifs-protocol at lists.samba.org
Cc: Mike Bowen <mibowe at microsoftsupport.com>
Subject: RE: [EXTERNAL] MS-CSSP: some notes on appendix <22> Section - TrackingID#2106210040004166 - TrackingID#2106210040004026

[BCC DocHelp]

Hi Isaac,

Thank you contacting Microsoft Open Specifications Support. Two cases have been created for this inquiry TrackingID#2106210040004166 and TrackingID#2106210040004026. Please leave the numbers in the subject line for reference. One of our team members will follow-up with you soon.

Best regards,
Mike Bowen
Escalation Engineer - Microsoft Open Specifications Mike.Bowen at microsoft.com

-----Original Message-----
From: Isaac Boukris <iboukris at gmail.com>
Sent: Monday, June 21, 2021 3:48 AM
To: Interoperability Documentation Help <dochelp at microsoft.com>; cifs-protocol at lists.samba.org
Subject: [EXTERNAL] MS-CSSP: some notes on appendix <22> Section

Hello dochelp!

While working on adding TSRemoteGuardCreds to wireshark's credssp dissector, I noticed that the NTLM_REMOTE_SUPPLEMENTAL_CREDENTIAL
struct in MS-CSSP appendix <22> Section seems to be incorrect and the MSV1_0_CREDENTIAL_KEY actually comes before the MSV1_0_CREDENTIAL_KEY_TYPE.

It looks in fact quite like the below struct, could you amend it please.


Also the appendix only defines the LM_PRESENT and NT_PRESENT as flags, while on the wire I only see CREDKEY_PRESENT, could you please update the relevant flags and their meaning or add a link to it.

As a last note; the appendix says that "The ServiceTicket member within the KERB_TICKET_LOGON structure is a ticket to the computer account. Windows CredSSP clients will use Kerberos User to User tickets ([RFC4120], section 2.9.2) as the ServiceTicket" - however from the packet capture it looks like although a U2U ticket is used for the authentication in the credssp exchange, the ServiceTicket in the KERB_TICKET_LOGON is a regular service ticket, which the Windows client fetches before fetching the U2U one.

You may find a packet capture including the keys on my draft MR


More information about the cifs-protocol mailing list