[REG: 114100211861646] serviceprincipalname RPC/<NTDSGUID>._msdcs.<domain>.<tld>

Matthieu Patou mat at samba.org
Fri Oct 10 00:16:06 MDT 2014 

Hi Edgar,

It makes senses. Thanks for the explanation.

Did I get it right that there will be a Windows behavior notes, 
indicating that version earlier than Windows 2012 don't register this SPN ?

Matthieu.

On 10/09/2014 02:07 PM, Edgar Olougouna wrote:
> Matthieu,
> The servicePrincipalName "RPC/<DSA GUID based DNS hostname>" gets used in the case where an administrator has locked down RPC endpoint resolution such the default AD RPC binding attempts fail (see More details). This was fixed during the development of Windows Server 2012.
> To get AD to work in that configuration, Windows Server 2012-based DC registers the RPC SPN. Incidentally, the binding code was modified to retry the endpoint resolution as authenticated, if anonymous resolution failed. That’s was the intended of this SPN.
> After conferring with the product group, a document bug was opened and our plan is to add this requirement to MS-DRSR Section 2.2.3.2 SPN for a Target DC in AD DS, with a reference section 3.1.1.1.3 of MS-RPCE Section 3.1.1.1.3 Authorization Policy, to further motivate the requirement.
> <DSA GUID based DNS hostname> is the DNS host name of the target DC, constructed in the form "<DSA GUID>._msdcs.<DNS forest name>".
> An example of the abovementioned SPN with “RPC” service class is RPC/c3c27d50-486d-4fdd-8e28-e6033e9b9a38._msdcs.contoso.com.
> More details:
> It has to do with the configuration on the DC where the administrator locks down things and configure restrictions,
> i.e. configuring RPC security group policies on DCs:
> Computer Configuration \ <policies> \ Administrative Templates \ System \ Remote Procedure Call
> Restrictions for unauthenticated RPC clients = Enabled, Authenticated without Exceptions
> RPC endpoint mapper client authentication = Enabled
> ...which translate to the following registry keys (referenced in MS-RPCE3.1.1.1.3 Authorization Policy):
> HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc
> EnableAuthEpResolution = 1
> RestrictRemoteClients = 2
> Per the bug report (without the change made in 2012), with such configuration, AD Replication would have failed with "access is denied" when RPC security group policy is enabled.
>
> Thanks,
> Edgar
>
> -----Original Message-----
> From: Edgar Olougouna
> Sent: Thursday, October 2, 2014 8:34 PM
> To: mat at samba.org
> Cc: MSSolve Case Email
> Subject: RE: [REG: 114100211861646] serviceprincipalname RPC/<NTDSGUID>._msdcs.<domain>.<tld>
>
> Matthieu,
> I am looking into this and will follow-up.
>
> Thanks,
> Edgar
>
> -----Original Message-----
> From: Matt Weber
> Sent: Thursday, October 2, 2014 8:48 AM
> To: mat at samba.org
> Cc: MSSolve Case Email
> Subject: [REG: 114100211861646] serviceprincipalname RPC/<NTDSGUID>._msdcs.<domain>.<tld>
>
> [Case number in subject]
> [Casemail to cc]
> [Dochelp to bcc]
>
> Hello Matthieu,
>
> Thank you for your request. The case number 114100211861646 has been created for this inquiry. One of our team members will follow-up with you soon.
>
> Best regards,
> Matt Weber | Microsoft Open Specifications Team
>
> -----Original Message-----
> From: Matthieu Patou [mailto:mat at samba.org]
> Sent: Thursday, October 2, 2014 3:16 AM
> To: Interoperability Documentation Help
> Subject: serviceprincipalname RPC/<NTDSGUID>._msdcs.<domain>.<tld>
>
> Hello Dochelp,
>
> I'm not able to find the document that explains when a server should have this serviceprincipalname registered and when it is used by clients (and how).
>
> Can you point me to the correct document ?
>
> Thanks.
>
> Matthieu.
>
> --
> Matthieu Patou
> Samba Team
> http://samba.org
>
>


-- 
Matthieu Patou
Samba Team
http://samba.org

More information about the samba-technical mailing list