[cifs-protocol] Kerberos Constrained-Delegation in RODC environment - TrackingID#2108090040003380
Isaac Boukris
iboukris at gmail.com
Thu Sep 2 20:05:34 UTC 2021
Hi Sreekanth,
Thanks for getting back on this, I'll re-run the test and collect the
event-logs, let me know if there is any other debug I can take while
at it.
Regards
On Thu, Sep 2, 2021 at 10:51 PM Sreekanth Nadendla
<srenaden at microsoft.com> wrote:
>
> Hello Isaac, can you please send me the Windows Kdc (Active Directory ) event logs for the test scenarios ? I'm expecting an event to be logged for the case showing "err-modified" .
>
> Regards,
> Sreekanth Nadendla
> Microsoft Windows Open Specifications
>
> -----Original Message-----
> From: Sreekanth Nadendla
> Sent: Tuesday, August 31, 2021 5:29 PM
> To: Isaac Boukris <iboukris at gmail.com>
> Cc: cifs-protocol at lists.samba.org; Greg Hudson <ghudson at mit.edu>; Andrew Bartlett <abartlet at samba.org>; metze <metze at samba.org>; josephsutton at catalyst.net.nz
> Subject: Kerberos Constrained-Delegation in RODC environment - TrackingID#2108090040003380
>
> Hi Isaac, I will be providing an update soon. Thank you for your patience.
>
> Regards,
> Sreekanth Nadendla
> Microsoft Windows Open Specifications
>
>
> -----Original Message-----
> From: Isaac Boukris <iboukris at gmail.com>
> Sent: Friday, August 27, 2021 5:08 AM
> To: Michael Bowen <Mike.Bowen at microsoft.com>
> Cc: cifs-protocol at lists.samba.org; Greg Hudson <ghudson at mit.edu>; Andrew Bartlett <abartlet at samba.org>; metze <metze at samba.org>; josephsutton at catalyst.net.nz; Mike Bowen <mibowe at microsoftsupport.com>
> Subject: Re: [EXTERNAL] Kerberos Constrained-Delegation in RODC environment - TrackingID#2108090040003380
>
> Hi again,
>
> Any takers?
>
> Thanks :)
>
> On Tue, Aug 10, 2021 at 8:29 PM Mike Bowen <Mike.Bowen at microsoft.com> wrote:
> >
> > [BCC DocHelp]
> >
> > Hi Isaac,
> >
> > Thank you contacting Microsoft Open Specifications Support. A case with TrackingID#2108090040003380 has been created for this inquiry. Please leave the numbers in the subject line for reference. One of our team members will follow-up with you soon.
> >
> > Mike Bowen
> > Escalation Engineer - Microsoft Open Specifications
> >
> > -----Original Message-----
> > From: Isaac Boukris <iboukris at gmail.com>
> > Sent: Tuesday, August 10, 2021 7:09 AM
> > To: Interoperability Documentation Help <dochelp at microsoft.com>; cifs-protocol at lists.samba.org
> > Cc: Greg Hudson <ghudson at mit.edu>; Andrew Bartlett <abartlet at samba.org>; metze <metze at samba.org>; josephsutton at catalyst.net.nz
> > Subject: [EXTERNAL] Kerberos Constrained-Delegation in RODC environment
> >
> > Hello dochelp!
> >
> > I've been running some S4U tests in a RODC environment against fully updated Windows KDCs (supporting pac-ticket-signature). I noticed the following behavior when making a S4U2Proxy request to a RWDC, using a TGT and/or a 2nd ticket that was issued by a RODC (attached packet capture and keytab).
> >
> > TGT | 2nd-ticket | kdc | result
> > rwdc | rwdc | rwdc | works
> > rwdc | rodc | rwdc | err-modified?
> > rodc | rwdc | rwdc | works!
> > rodc | rodc | rwdc | works!
> >
> > You'd notice that test 3 and 4 both work, meaning the 2nd ticket can be issued by either a RWDC or a RODC, I guess the KDC checks the RODCIdentifier in the KDC PAC signatures (MS-PAC 2.8
> > PAC_SIGNATURE_DATA) in order to know what key to use to to verify the signature, but it isn't clearly documented afaict.
> >
> > What I wonder about is test 2, this test uses a normal TGT with a 2nd ticket issued by a RODC, and we make the request against the RWDC, which knows the rodc-krbtgt_46673 key with which the pac-ticket was signed, so why does it fail with err-modified? Why is it worse than test 4 where both the TGT and the 2nd ticket were issued by RODC and it still works? And where is this error path documented (or should be)?
> >
> > Thanks!
More information about the cifs-protocol
mailing list