[cifs-protocol] [EXTERNAL] [MS-SFU] Clarify the new NonForwardableDelegation flag - TrackingID#2107090040004014

Jeff McCashland jeffm at microsoft.com
Mon Sep 13 18:37:05 UTC 2021 

I look forward to hearing from you!

-----Original Message-----
From: Isaac Boukris <iboukris at gmail.com> 
Sent: Monday, September 13, 2021 2:37 AM
To: Jeff McCashland <jeffm at microsoft.com>
Cc: cifs-protocol at lists.samba.org; Greg Hudson <ghudson at mit.edu>
Subject: Re: [EXTERNAL] [MS-SFU] Clarify the new NonForwardableDelegation flag - TrackingID#2107090040004014

Thanks Jeff!

Just as a heads up I think there are a couple of other places that'd need updating, with regards to RBCD requiring the forwardable flag by default, when I get time I'll go over MS-SFU and ping dochelp.

Regards

On Wed, Sep 8, 2021 at 9:27 PM Jeff McCashland <jeffm at microsoft.com> wrote:
>
> [-support]
>
> Hi Isaac,
>
> We have updated [MS-SFU] for the next release of the document:
>
> 1.2.2 Informative References
> [MSFT-RBCD-ProtectedUserChanges] Microsoft Corporation, "Managing 
> deployment of RBCD/Protected User changes for CVE-2020-16996", 
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupp
> ort.microsoft.com%2Fen-us%2Ftopic%2Fmanaging-deployment-of-rbcd-protec
> ted-user-changes-for-cve-2020-16996-9a59a49f-20b9-a292-f205-da9da0ff24
> d3&data=04%7C01%7Cjeffm%40microsoft.com%7C2357b1519d70496f3dc508d9
> 769a21b3%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C6376712268124708
> 93%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI
> 6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=8Lch9sOpNhPCQ5g5QBGQpFjyJo81%
> 2BGS7nlTlRFUhqJA%3D&reserved=0
>
> 3.2.5.2.3 Using ServicesAllowedToReceiveForwardedTicketsFrom
> If the service ticket in the additional-tickets field is not set to 
> forwardable,<22> then the KDC MUST return KRB-ERR-BADOPTION with 
> STATUS_ACCOUNT_RESTRICTION ([MS-ERREF] section 2.3.1).<23>
>
> New WBN:
> <23> Section 3.2.5.2.3: The Kerberos Security Feature Bypass Vulnerability March 12,2021 [MSFT-CVE-2021-16996] update adds support for the NonForwardableDelegation registry value to (0) enable Enforcement of protection on Active Directory domain controller servers. Active Directory domain controllers will be in Enforcement mode unless the enforcement mode registry key is set to (1) disabled. This update applies to Windows Server 2012 operating system and later. For additional information that includes Windows Server 2008 operating system with Service Pack 2 (SP2) and Windows Server 2008 R2 operating system with Service Pack 1 (SP1) see [MSFT-RBCD-ProtectedUserChanges].
>
> I hope that helps!
>
> Best regards,
> Jeff McCashland | Senior Escalation Engineer | Microsoft Protocol Open 
> Specifications Team
> Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: 
> (UTC-08:00) Pacific Time (US and Canada) Local country phone number 
> found here: 
> https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsuppo
> rt.microsoft.com%2Fglobalenglish&data=04%7C01%7Cjeffm%40microsoft.
> com%7C2357b1519d70496f3dc508d9769a21b3%7C72f988bf86f141af91ab2d7cd011d
> b47%7C1%7C0%7C637671226812470893%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wL
> jAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata
> =aHAUMcyVvBNz8mZai6Rm4SFCPspbAjxzi2iTuIZw%2BxI%3D&reserved=0 | 
> Extension 1138300 We value your feedback.  My manager is Natesha 
> Morrison (namorri), +1 (704) 430-4292
>
> -----Original Message-----
> From: Isaac Boukris <iboukris at gmail.com>
> Sent: Wednesday, July 28, 2021 1:31 AM
> To: Jeff McCashland <jeffm at microsoft.com>
> Cc: cifs-protocol at lists.samba.org; Greg Hudson <ghudson at mit.edu>; Jeff 
> McCashland <jeffm at microsoftsupport.com>
> Subject: Re: [EXTERNAL] [MS-SFU] Clarify the new 
> NonForwardableDelegation flag - TrackingID#2107090040004014
>
> Hi Jeff
>
> On Tue, Jul 27, 2021 at 11:31 PM Jeff McCashland <jeffm at microsoft.com> wrote:
> >
> > Hi Isaac,
> >
> > You are correct about the NonForwardableDelegation enabled behavior:
> > If the evidence ticket is not forwardable, the KDC immediately returns KDC_ERR_BADOPTION with the status code STATUS_ACCOUNT_RESTRICTION.
>
> Thanks for the confirmation, looking forward to seeing the doc update.
>
> Regards

More information about the cifs-protocol mailing list