[cifs-protocol] [EXTERNAL] [MS-ADTS] msDS-KeyCredentialLink Validated Write - TrackingID#2506180040000979

Obaid Farooqi obaidf at microsoft.com
Fri Jun 20 21:37:27 UTC 2025 

Hi Jenniffer:
I will help you with this issue and will be in touch as soon I have an answer.
Can you reproduce this scenario at will? If you can, please send me your Microsoft account username (please don't send password) so that I can send you binaries for time travel debugging (TTD).
You can collect some traces with it and send those to me. I'll send detailed instructions with the TTD binaries

Regards,
Obaid Farooqi
Sr. Escalation Engineer | Microsoft

-----Original Message-----
From: Tom Jebo <tomjebo at microsoft.com>
Sent: Tuesday, June 17, 2025 11:50 PM
To: Jennifer Sutton <jsutton at samba.org>; cifs-protocol at lists.samba.org
Cc: Microsoft Support <supportmail at microsoft.com>
Subject: RE: [EXTERNAL] [MS-ADTS] msDS-KeyCredentialLink Validated Write - TrackingID#2506180040000979

[dochelp to bcc]
[support mail to cc]

Hi Jennifer,

Thanks for your request regarding [MS-ADTS] 3.1.1.5.3.1.1.6 msDS-KeyCredentialLink. One of the Open Specifications team members will respond to assist you. In the meantime, we've created case 2506180040000979 to track this request. Please leave the case number in the subject when communicating with our team about this request.

Best regards,
Tom Jebo
Microsoft Open Specifications Support

-----Original Message-----
From: Jennifer Sutton <jsutton at samba.org>
Sent: Tuesday, June 17, 2025 9:26 PM
To: cifs-protocol at lists.samba.org; Interoperability Documentation Help <dochelp at microsoft.com>
Subject: [EXTERNAL] [MS-ADTS] msDS-KeyCredentialLink Validated Write

Hi dochelp,

I'm looking at the list of constraints for performing a validated write of msDS-KeyCredentialLink ([MS-ADTS] 3.1.1.5.3.1.1.6, 'msDS-KeyCredentialLink').

In my testing, I've found that Windows Server 2025 allows the validated write even if the KEYCREDENTIALLINK_BLOB value does not meet the constraints (specifically the restrictions on KeyUsage, KeySource, CustomKeyInformation, and KeyApproximateLastLogonTimeStamp). Can you confirm whether the specifications [0] match the behaviour of Windows, or if there's something I've missed?

Cheers,
Jennifer (she/her)

[0]
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/f70afbcc-780e-4d91-850c-cfadce5bb15c

More information about the cifs-protocol mailing list