[cifs-protocol] [EXTERNAL] [MS-SFU] Clarify the new NonForwardableDelegation flag - TrackingID#2107090040004014
iboukris at gmail.com
Mon Sep 13 09:37:28 UTC 2021
Just as a heads up I think there are a couple of other places that'd
need updating, with regards to RBCD requiring the forwardable flag by
default, when I get time I'll go over MS-SFU and ping dochelp.
On Wed, Sep 8, 2021 at 9:27 PM Jeff McCashland <jeffm at microsoft.com> wrote:
> Hi Isaac,
> We have updated [MS-SFU] for the next release of the document:
> 1.2.2 Informative References
> [MSFT-RBCD-ProtectedUserChanges] Microsoft Corporation, "Managing deployment of RBCD/Protected User changes for CVE-2020-16996", https://support.microsoft.com/en-us/topic/managing-deployment-of-rbcd-protected-user-changes-for-cve-2020-16996-9a59a49f-20b9-a292-f205-da9da0ff24d3
> 188.8.131.52.3 Using ServicesAllowedToReceiveForwardedTicketsFrom
> If the service ticket in the additional-tickets field is not set to forwardable,<22> then the KDC MUST return KRB-ERR-BADOPTION with STATUS_ACCOUNT_RESTRICTION ([MS-ERREF] section 2.3.1).<23>
> New WBN:
> <23> Section 184.108.40.206.3: The Kerberos Security Feature Bypass Vulnerability March 12,2021 [MSFT-CVE-2021-16996] update adds support for the NonForwardableDelegation registry value to (0) enable Enforcement of protection on Active Directory domain controller servers. Active Directory domain controllers will be in Enforcement mode unless the enforcement mode registry key is set to (1) disabled. This update applies to Windows Server 2012 operating system and later. For additional information that includes Windows Server 2008 operating system with Service Pack 2 (SP2) and Windows Server 2008 R2 operating system with Service Pack 1 (SP1) see [MSFT-RBCD-ProtectedUserChanges].
> I hope that helps!
> Best regards,
> Jeff McCashland | Senior Escalation Engineer | Microsoft Protocol Open Specifications Team
> Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada)
> Local country phone number found here: http://support.microsoft.com/globalenglish | Extension 1138300
> We value your feedback. My manager is Natesha Morrison (namorri), +1 (704) 430-4292
> -----Original Message-----
> From: Isaac Boukris <iboukris at gmail.com>
> Sent: Wednesday, July 28, 2021 1:31 AM
> To: Jeff McCashland <jeffm at microsoft.com>
> Cc: cifs-protocol at lists.samba.org; Greg Hudson <ghudson at mit.edu>; Jeff McCashland <jeffm at microsoftsupport.com>
> Subject: Re: [EXTERNAL] [MS-SFU] Clarify the new NonForwardableDelegation flag - TrackingID#2107090040004014
> Hi Jeff
> On Tue, Jul 27, 2021 at 11:31 PM Jeff McCashland <jeffm at microsoft.com> wrote:
> > Hi Isaac,
> > You are correct about the NonForwardableDelegation enabled behavior:
> > If the evidence ticket is not forwardable, the KDC immediately returns KDC_ERR_BADOPTION with the status code STATUS_ACCOUNT_RESTRICTION.
> Thanks for the confirmation, looking forward to seeing the doc update.
More information about the cifs-protocol