[cifs-protocol] [EXTERNAL] MS-PAC: Constrained Delegation Information - TrackingID#2111290040007908
Jeff McCashland (HE/HIM/THEY/THEM)
jeffm at microsoft.com
Mon Nov 29 19:36:01 UTC 2021
[Mike to BCC]
Hi Andreas,
I will research your question and let you know what I find.
Best regards,
Jeff McCashland | Senior Escalation Engineer | Microsoft Protocol Open Specifications Team
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada)
Local country phone number found here: http://support.microsoft.com/globalenglish | Extension 1138300
We value your feedback. My manager is Natesha Morrison (namorri), +1 (704) 430-4292
-----Original Message-----
From: Michael Bowen <Mike.Bowen at microsoft.com>
Sent: Monday, November 29, 2021 9:24 AM
To: Andreas Schneider <asn at samba.org>
Cc: cifs-protocol at lists.samba.org; Mike Bowen <mibowe at microsoftsupport.com>
Subject: RE: [EXTERNAL] MS-PAC: Constrained Delegation Information - TrackingID#2111290040007908
[DocHelp to bcc]
Hi Andreas,
Thank you for contacting Microsoft Open Specifications Support. We created SR case TrackingID#2111290040007908 to track the issue. Please leave this case number in the subject line for future reference.
One of our engineers will contact you shortly.
Mike Bowen
Escalation Engineer - Microsoft Open Specifications
-----Original Message-----
From: Andreas Schneider <asn at samba.org>
Sent: Monday, November 29, 2021 1:16 AM
To: Interoperability Documentation Help <dochelp at microsoft.com>
Cc: cifs-protocol at lists.samba.org
Subject: [EXTERNAL] MS-PAC: Constrained Delegation Information
Hello dochelp,
I have some requests for clarification for:
=== snip ===
2.9 Constrained Delegation Information
The S4U_DELEGATION_INFO structure lists the services that have been delegated through this Kerberos client and subsequent services or servers. The list is used only in a Service for User to Proxy (S4U2proxy) [MS-SFU] request. This feature could be used multiple times in succession from service to service, which is useful for auditing purposes.<18> The S4U_DELEGATION_INFO structure is marshaled by RPC [MS-RPCE].
typedef struct _S4U_DELEGATION_INFO {
RPC_UNICODE_STRING S4U2proxyTarget;
ULONG TransitedListSize;
[size_is(TransitedListSize)] PRPC_UNICODE_STRING S4UTransitedServices; } S4U_DELEGATION_INFO, *PS4U_DELEGATION_INFO;
S4U2proxyTarget: An RPC_UNICODE_STRING structure that MUST contain the name of the principal to whom the application can forward the ticket.
TransitedListSize: MUST be the number of elements in the S4UTransitedServices array.
S4UTransitedServices: MUST contain the list of all services that have been delegated through by this client and subsequent services or servers.
=== /snip ===
The S4U2proxyTarget seems to be expected to be a service principal name (SPN) without the realm part (host/<servername>). Is that correct? Does the format matter or can it be also <servername>$.
S4UTransitedServices seems to expect a list of SPNs (<service>/ <servername>@<realm<). Does this need to be host/<servername>@<realm> or can it also be in the for <servername>$@<realm>?
Thank you very much for your assistance.
Best regards
Andreas
--
Andreas Schneider asn at samba.org
Samba Team https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.samba.org%2F&data=04%7C01%7Cjeffm%40microsoft.com%7C3ebbbb780e6a4a6213e908d9b35d110a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637738034578928455%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=slIoX95j1bAEhikDdSQYTWGX6SmXYHrxcwrs1egzvTs%3D&reserved=0
GPG-ID: 8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D
More information about the cifs-protocol
mailing list