[cifs-protocol] [EXTERNAL] Re: Kerberos Constrained-Delegation in RODC environment - TrackingID#2108090040003380

Wed Oct 20 17:06:43 UTC 2021

Hello Isaac, after I've shared my analysis (+ line of code where our Kdc decides to raise error), product team informed me that that particular setup of kdc/rodc is NOT supported. In my opinion, I don't see why it would be unsupported and we also have no documentation indicating as such. So I've raised my concerns again and they are looking into those. 

One response for the problem case where you got err-modified is below

In order for this to work the user must have authenticated to an RODC to get their RODC TGT. Then that user must have privileges to access a server outside the RODC environment, such that the server gets a TGT from a RWDC. Then the user must request a ticket from the RODC and get an RODC service ticket to the server authenticated by the RWDC. To the best of my knowledge that last bit is the sticking point. That RODC shouldn’t normally be able to issue a ticket to that server. That breaks the RODC security model.

In these situations when the RODC receives the TGS-REQ to the server it should return an error code (3.3.5.7.7 -- STATUS_NO_SECRETS) that it isn’t allowed to issue that service ticket and to tell the client it needs to contact a RWDC.

I'm still working with them for doc obligations. Will provide an update if they determine whether we need to update the spec. Right now they don't seem to think we have anything to update in the spec.

Regards,
Sreekanth Nadendla
Microsoft Windows Open Specifications

-----Original Message-----
From: Isaac Boukris <iboukris at gmail.com> 
Sent: Wednesday, October 13, 2021 1:29 AM
To: Sreekanth Nadendla <srenaden at microsoft.com>; Mike Bowen <mibowe at microsoftsupport.com>; Interoperability Documentation Help <dochelp at microsoft.com>
Cc: cifs-protocol at lists.samba.org; Greg Hudson <ghudson at mit.edu>; Andrew Bartlett <abartlet at samba.org>; metze <metze at samba.org>; josephsutton at catalyst.net.nz
Subject: Re: [EXTERNAL] Re: Kerberos Constrained-Delegation in RODC environment - TrackingID#2108090040003380

Hello Sreekanth, any news on this?

Thanks!

On Tue, Sep 21, 2021 at 12:25 AM Isaac Boukris <iboukris at gmail.com> wrote:
>
> Great, thanks for the update, regards :)
>
> On Tue, Sep 21, 2021 at 12:21 AM Sreekanth Nadendla 
> <srenaden at microsoft.com> wrote:
> >
> > Hi Isaac, from the time travel traces you've provided, I've been able to find the place in code where we are raising the error. I'm working with the team that owns this area of code to double check our open spec docs and determine what we should've been documented etc.. I will let you know what the outcome is as soon as a decision is made.
> >
> > Regards,
> > Sreekanth Nadendla
> > Microsoft Windows Open Specifications
> >
> > -----Original Message-----
> > From: Isaac Boukris <iboukris at gmail.com>
> > Sent: Monday, September 20, 2021 4:33 PM
> > To: Sreekanth Nadendla <srenaden at microsoft.com>
> > Cc: cifs-protocol at lists.samba.org; Greg Hudson <ghudson at mit.edu>; 
> > Andrew Bartlett <abartlet at samba.org>; metze <metze at samba.org>; 
> > josephsutton at catalyst.net.nz
> > Subject: [EXTERNAL] Re: Kerberos Constrained-Delegation in RODC 
> > environment - TrackingID#2108090040003380
> >
> > Hi Sreekanth,
> >
> > Any findings on this matter?
> >
> > Thanks
> >
> > On Mon, Sep 6, 2021 at 5:48 PM Isaac Boukris <iboukris at gmail.com> wrote:
> > >
> > > Hi Sreekanth,
> > >
> > > I've taken the debugs and collected the event-log error, and have 
> > > uploaded all the files.
> > >
> > > The event-log error says: "During TGS processing, the KDC was 
> > > unable to verify the signature on the PAC from apache. This 
> > > indicates the PAC was modified."
> > >
> > > So the question still stands: why can't the KDC check the 
> > > RODCIdentifier and fetch the right key to verify the KDC signatures.
> > >
> > > Regards