[cifs-protocol] [EXTERNAL] Re: Kerberos Constrained-Delegation in RODC environment - TrackingID#2108090040003380

Isaac Boukris iboukris at gmail.com
Wed Oct 20 17:27:24 UTC 2021

Hi Sreekanth,

Thanks for investigating this.

On Wed, Oct 20, 2021 at 8:06 PM Sreekanth Nadendla
<srenaden at microsoft.com> wrote:
> In order for this to work the user must have authenticated to an RODC to get their RODC TGT. Then that user must have privileges to access a server outside the RODC environment, such that the server gets a TGT from a RWDC. Then the user must request a ticket from the RODC and get an RODC service ticket to the server authenticated by the RWDC. To the best of my knowledge that last bit is the sticking point. That RODC shouldn’t normally be able to issue a ticket to that server. That breaks the RODC security model.

That should depend on the configuration to my understanding.

> I'm still working with them for doc obligations. Will provide an update if they determine whether we need to update the spec. Right now they don't seem to think we have anything to update in the spec.

I must agree on that, I can't seem to find any related spec if we were
to call it an update.


More information about the cifs-protocol mailing list