[cifs-protocol] [EXTERNAL] Re: Kerberos Constrained-Delegation in RODC environment - TrackingID#2108090040003380
srenaden at microsoft.com
Mon Sep 20 21:21:54 UTC 2021
Hi Isaac, from the time travel traces you've provided, I've been able to find the place in code where we are raising the error. I'm working with the team that owns this area of code to double check our open spec docs and determine what we should've been documented etc.. I will let you know what the outcome is as soon as a decision is made.
Microsoft Windows Open Specifications
From: Isaac Boukris <iboukris at gmail.com>
Sent: Monday, September 20, 2021 4:33 PM
To: Sreekanth Nadendla <srenaden at microsoft.com>
Cc: cifs-protocol at lists.samba.org; Greg Hudson <ghudson at mit.edu>; Andrew Bartlett <abartlet at samba.org>; metze <metze at samba.org>; josephsutton at catalyst.net.nz
Subject: [EXTERNAL] Re: Kerberos Constrained-Delegation in RODC environment - TrackingID#2108090040003380
Any findings on this matter?
On Mon, Sep 6, 2021 at 5:48 PM Isaac Boukris <iboukris at gmail.com> wrote:
> Hi Sreekanth,
> I've taken the debugs and collected the event-log error, and have
> uploaded all the files.
> The event-log error says: "During TGS processing, the KDC was unable
> to verify the signature on the PAC from apache. This indicates the PAC
> was modified."
> So the question still stands: why can't the KDC check the
> RODCIdentifier and fetch the right key to verify the KDC signatures.
More information about the cifs-protocol