[cifs-protocol] [EXTERNAL] MS-PAC: Constrained Delegation Information - TrackingID#2111290040007908

Jeff McCashland (HE/HIM/THEY/THEM) jeffm at microsoft.com
Mon Nov 29 19:36:01 UTC 2021

[Mike to BCC]

Hi Andreas,

I will research your question and let you know what I find. 

Best regards,
Jeff McCashland | Senior Escalation Engineer | Microsoft Protocol Open Specifications Team 
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada)
Local country phone number found here: http://support.microsoft.com/globalenglish | Extension 1138300
We value your feedback.  My manager is Natesha Morrison (namorri), +1 (704) 430-4292

-----Original Message-----
From: Michael Bowen <Mike.Bowen at microsoft.com> 
Sent: Monday, November 29, 2021 9:24 AM
To: Andreas Schneider <asn at samba.org>
Cc: cifs-protocol at lists.samba.org; Mike Bowen <mibowe at microsoftsupport.com>
Subject: RE: [EXTERNAL] MS-PAC: Constrained Delegation Information - TrackingID#2111290040007908

[DocHelp to bcc]

Hi Andreas,

Thank you for contacting Microsoft Open Specifications Support. We created SR case TrackingID#2111290040007908 to track the issue. Please leave this case number in the subject line for future reference.

One of our engineers will contact you shortly.

Mike Bowen
Escalation Engineer - Microsoft Open Specifications

-----Original Message-----
From: Andreas Schneider <asn at samba.org>
Sent: Monday, November 29, 2021 1:16 AM
To: Interoperability Documentation Help <dochelp at microsoft.com>
Cc: cifs-protocol at lists.samba.org
Subject: [EXTERNAL] MS-PAC: Constrained Delegation Information

Hello dochelp,

I have some requests for clarification for:

=== snip ===

2.9 Constrained Delegation Information

The S4U_DELEGATION_INFO structure lists the services that have been delegated through this Kerberos client and subsequent services or servers. The list is used only in a Service for User to Proxy (S4U2proxy) [MS-SFU] request. This feature could be used multiple times in succession from service to service, which is useful for auditing purposes.<18> The S4U_DELEGATION_INFO structure is marshaled by RPC [MS-RPCE].

typedef struct _S4U_DELEGATION_INFO {
ULONG TransitedListSize;
[size_is(TransitedListSize)] PRPC_UNICODE_STRING S4UTransitedServices; } S4U_DELEGATION_INFO, *PS4U_DELEGATION_INFO;

S4U2proxyTarget: An RPC_UNICODE_STRING structure that MUST contain the name of the principal to whom the application can forward the ticket.

TransitedListSize: MUST be the number of elements in the S4UTransitedServices array.

S4UTransitedServices: MUST contain the list of all services that have been delegated through by this client and subsequent services or servers.

=== /snip ===

The S4U2proxyTarget seems to be expected to be a service principal name (SPN) without the realm part (host/<servername>). Is that correct? Does the format matter or can it be also <servername>$.

S4UTransitedServices seems to expect a list of SPNs (<service>/ <servername>@<realm<). Does this need to be host/<servername>@<realm> or can it also be in the for <servername>$@<realm>?

Thank you very much for your assistance.

Best regards


Andreas Schneider                      asn at samba.org
Samba Team                             https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.samba.org%2F&data=04%7C01%7Cjeffm%40microsoft.com%7C3ebbbb780e6a4a6213e908d9b35d110a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637738034578928455%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=slIoX95j1bAEhikDdSQYTWGX6SmXYHrxcwrs1egzvTs%3D&reserved=0
GPG-ID:     8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D

More information about the cifs-protocol mailing list