[cifs-protocol] [EXTERNAL] MS-CSSP: some notes on appendix <22> Section 2.2.1.2.3.1 - TrackingID#2106210040004026

Jeff McCashland jeffm at microsoft.com
Mon Jun 21 17:37:30 UTC 2021


[Mike to BCC]

Hi Isaac,

I altered the Subject line to branch this to a separate email thread for your notes on [MS-CSSP] Windows Behavior Note <22> for section 2.2.1.2.3.1 (SR 2106210040004026). I will not be addressing the point about the ServiceTicket in this case/thread, just the supplemental creds structure and flags. 

I will investigate the issues with this note, and let you know what I find. 

Best regards,
Jeff McCashland | Senior Escalation Engineer | Microsoft Protocol Open Specifications Team 
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada)
Local country phone number found here: http://support.microsoft.com/globalenglish | Extension 1138300
We value your feedback.  My manager is Natesha Morrison (namorri), +1 (704) 430-4292

-----Original Message-----
From: Mike Bowen <Mike.Bowen at microsoft.com> 
Sent: Monday, June 21, 2021 9:24 AM
To: Isaac Boukris <iboukris at gmail.com>; cifs-protocol at lists.samba.org
Cc: Mike Bowen <mibowe at microsoftsupport.com>
Subject: RE: [EXTERNAL] MS-CSSP: some notes on appendix <22> Section 2.2.1.2.3.1 - TrackingID#2106210040004166 - TrackingID#2106210040004026

[BCC DocHelp]

Hi Isaac,

Thank you contacting Microsoft Open Specifications Support. Two cases have been created for this inquiry TrackingID#2106210040004166 and TrackingID#2106210040004026. Please leave the numbers in the subject line for reference. One of our team members will follow-up with you soon.

Best regards,
Mike Bowen
Escalation Engineer - Microsoft Open Specifications Mike.Bowen at microsoft.com





-----Original Message-----
From: Isaac Boukris <iboukris at gmail.com>
Sent: Monday, June 21, 2021 3:48 AM
To: Interoperability Documentation Help <dochelp at microsoft.com>; cifs-protocol at lists.samba.org
Subject: [EXTERNAL] MS-CSSP: some notes on appendix <22> Section 2.2.1.2.3.1

Hello dochelp!

While working on adding TSRemoteGuardCreds to wireshark's credssp dissector, I noticed that the NTLM_REMOTE_SUPPLEMENTAL_CREDENTIAL
struct in MS-CSSP appendix <22> Section 2.2.1.2.3.1 seems to be incorrect and the MSV1_0_CREDENTIAL_KEY actually comes before the MSV1_0_CREDENTIAL_KEY_TYPE.

It looks in fact quite like the below struct, could you amend it please.

typedef struct _MSV1_0_REMOTE_SUPPLEMENTAL_CREDENTIAL { ULONG Version; ULONG Flags; MSV1_0_CREDENTIAL_KEY CredentialKey; MSV1_0_CREDENTIAL_KEY_TYPE CredentialKeyType; ULONG EncryptedCredsSize; UCHAR EncryptedCreds[ANYSIZE_ARRAY]; } MSV1_0_REMOTE_SUPPLEMENTAL_CREDENTIAL,
*PMSV1_0_REMOTE_SUPPLEMENTAL_CREDENTIAL;

Also the appendix only defines the LM_PRESENT and NT_PRESENT as flags, while on the wire I only see CREDKEY_PRESENT, could you please update the relevant flags and their meaning or add a link to it.

As a last note; the appendix says that "The ServiceTicket member within the KERB_TICKET_LOGON structure is a ticket to the computer account. Windows CredSSP clients will use Kerberos User to User tickets ([RFC4120], section 2.9.2) as the ServiceTicket" - however from the packet capture it looks like although a U2U ticket is used for the authentication in the credssp exchange, the ServiceTicket in the KERB_TICKET_LOGON is a regular service ticket, which the Windows client fetches before fetching the U2U one.

You may find a packet capture including the keys on my draft MR
(TSRemoteGuardCreds.tgz):
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgitlab.com%2Fwireshark%2Fwireshark%2F-%2Fmerge_requests%2F3419&data=04%7C01%7Cjeffm%40microsoft.com%7Cde95759311484cc9786608d934d0fa2c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637598894429437020%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=nLM%2F7T5Ax6xL3NGkI4nKrvgNhR42X8ODYll1PA4PcpA%3D&reserved=0

Thanks!



More information about the cifs-protocol mailing list