[prev in list] [next in list] [prev in thread] [next in thread]
List: cifs-protocol
Subject: Re: [cifs-protocol] [REG:120042221001608] MS-KILE | Handling of more than one AD-IF-RELEVANT in Wind
From: Isaac Boukris via cifs-protocol <cifs-protocol () lists ! samba ! org>
Date: 2020-04-29 12:56:44
Message-ID: CAC-fF8SYEcdsfEx8DTRWD_O+pZYsiSbTOEbH-OJY0TC3-K1Fhw () mail ! gmail ! com
[Download RAW message or body]
Hi Jeff and Obaid,
I've just uploaded the debug file and the capture to the workspace.
The packet capture won't be useful as I'm testing the applicability of
KERB_AP_OPTIONS_CBT which requires the test to run over TLS.
Here is the description of the test; the DC is configured with
LdapEnforceChannelBinding=1 and the client does not send
channel-bindings (that is, 16 zeroes), so the server should only
reject the request if KERB_AP_OPTIONS_CBT is present in the
authenticator.
The client makes the first request (cn=isaac), adding
KERB_AP_OPTIONS_CBT as a separate AD-IF-RELEVANT like below, and does
not get recognized by the server, that is the ldapsearch command
succeeds (incorrectly).
authorization-data: 2 items
AuthorizationData item
ad-type: AD-IF-RELEVANT (1)
ad-data: 3011300fa00402020081a10704053003020112
AuthorizationData item
ad-type: AD-GSS-API-ETYPE-NEGOTIATION (129)
ad-data: 3003020112
ENCTYPE: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
AuthorizationData item
ad-type: AD-IF-RELEVANT (1)
ad-data: 3010300ea0040202008fa106040400400000
AuthorizationData item
ad-type: AD-AP-OPTIONS (143)
ad-data: 00400000
AD-AP-Options: 0x00004000, ChannelBindings
.... .... .... .... .1.. .... .... .... =
ChannelBindings: Set
Then the client makes the same request again, only with
KERB_AP_OPTIONS_CBT in a single AD-IF-RELEVANT container and then it
gets recognized by the server and the ldapsearch request fails as
expected.
authorization-data: 1 item
AuthorizationData item
ad-type: AD-IF-RELEVANT (1)
ad-data: 3010300ea0040202008fa106040400400000
AuthorizationData item
ad-type: AD-AP-OPTIONS (143)
ad-data: 00400000
AD-AP-Options: 0x00004000, ChannelBindings
.... .... .... .... .1.. .... .... .... =
ChannelBindings: Set
ldapsearch -h adc.acme.com -b dc=acme,dc=com cn=isaac -Y GSSAPI -N -ZZ
-O maxssf=0
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind: Invalid credentials (49)
additional info: 80090346: LdapErr: DSID-0C090569, comment:
AcceptSecurityContext error, data 80090346, v4563
I've also tested with other ad-types inside the single AD-IF-RELEVANT
container (not in the debug file), and it works fine as well (that is,
ldapsearch yields same "Invalid credentials (49)").
authorization-data: 1 item
AuthorizationData item
ad-type: AD-IF-RELEVANT (1)
ad-data:
3021300fa00402020081a10704053003020112300ea0040202008fa106040400400000
AuthorizationData item
ad-type: AD-GSS-API-ETYPE-NEGOTIATION (129)
ad-data: 3003020112
ENCTYPE: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
AuthorizationData item
ad-type: AD-AP-OPTIONS (143)
ad-data: 00400000
AD-AP-Options: 0x00004000, ChannelBindings
.... .... .... .... .1.. .... .... .... =
ChannelBindings: Set
Thank you for looking into it.
On Tue, Apr 28, 2020 at 4:57 PM Jeff McCashland <jeffm@microsoft.com> wrote:
>
> Hi Issac,
>
> I have added Obaid Farooqi to the email, as he will also be assisting with this \
> issue.
> Do you have any questions about the information I've requested? When do you think \
> you may be able to collect traces?
> Best regards,
> Jeff McCashland | Senior Escalation Engineer | Microsoft Protocol Open \
> Specifications Team
> Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific \
> Time (US and Canada) Local country phone number found here: \
> http://support.microsoft.com/globalenglish | Extension 1138300 We value your \
> feedback. My manager is Jeremy Chapman (jeremyc), +1 (469) 775-2475
> -----Original Message-----
> From: Jeff McCashland
> Sent: Thursday, April 23, 2020 8:09 AM
> To: 'Isaac Boukris' <iboukris@gmail.com>; 'Greg Hudson' <ghudson@mit.edu>; 'Stefan \
> Metzmacher' <metze@samba.org>; 'Andrew Bartlett' <abartlet@samba.org>; \
> 'cifs-protocol@lists.samba.org' <cifs-protocol@lists.samba.org>
> Cc: support <support@mail.support.microsoft.com>
> Subject: RE: [REG:120042221001608] MS-KILE | Handling of more than one \
> AD-IF-RELEVANT in Windows
> Hi Isaac,
>
> To troubleshoot this issue, I need to collect lsass TTT traces with a matching \
> network trace. I have created a File Transfer workspace for this issue. Please find \
> your credentials and a link to the workspace below. Please let me know if anyone \
> else needs access to the workspace. I will generate credentials for each \
> individual.
> If you log into the workspace using the provided credentials, you will find \
> "PartnerTTDRecorder_x86_x64.zip" available for download. Please extract the x64 \
> version of the tool and place it on your AD Server.
> To collect the needed traces:
> 1. From an elevated command prompt, execute: tasklist /FI "IMAGENAME eq \
> lsass.exe" 2. Note the PID of the lsass process from the output of the above \
> command. 3. Execute: C:\TTD\TTTracer.exe -attach PID, where PID is the number \
> from above. 4. Wait for a little window to pop up in top left corner of your \
> screen, titled "lsass01.run" 5. start a network trace on the Server side
> 6. Repro the attempted AD request
> 7. Stop the network trace and save it
> 8. Carefully uncheck the checkbox next to "Tracing" in the small "lsass01.run" \
> window. Do not close or exit the small window or you will need to reboot. 9. \
> The TTTracer.exe process will generate a trace file, then print out the name and \
> location of the file.
> Please upload the network trace and TTTracer.exe trace to the File Transfer \
> workspace. It would be helpful if you could let me know which frame of the network \
> trace has the failed AD request of interest.
> Credentials for Isaac:
> Log in as: 120042221001608_isaac@dtmxfer.onmicrosoft.com
> 1-time: O1IKG?(@
>
> Workspace URL: https://support.microsoft.com/files?workspace=eyJ0eXAiOiJKV1QiLCJhbGc \
> iOiJSUzI1NiJ9.eyJ3c2lkIjoiNDRiNjQwMzctOTRkMS00ZjU2LTg3Y2ItN2ViMDljM2JlYWFlIiwic3IiOi \
> IxMjAwNDIyMjEwMDE2MDgiLCJhcHBpZCI6ImU2ZWU0M2ViLTBmYmMtNDU0Ni1iYzUyLTRjMTYxZmNkZjRjNC \
> IsInN2IjoidjEiLCJycyI6IkV4dGVybmFsIiwid3RpZCI6Ijk5MGZiMDdjLWE4Y2UtNDExZS04ZTgyLWNlNW \
> Y4MmZiOTUwNyIsImlzcyI6Imh0dHBzOi8vYXBpLmR0bW5lYnVsYS5taWNyb3NvZnQuY29tIiwiYXVkIjoiaH \
> R0cDovL3NtYyIsImV4cCI6MTU5NTQyOTYxMSwibmJmIjoxNTg3NjUzNjExfQ.axEbJMAR8BgxMEnRXsHQm7T \
> U9-BzYDdyIv1ZAONfIHg9CWy2qK8xtNWsHdCG8rTFbO-aJ25wpiCNcc7PGVgZzwNVJAGfmG5CHsOUU9Pdqd_ \
> O7jFnOluLZkSVij0RazFmc30DLoSOnFtNFO9NGXLPQX4QSqt7EhXGgp0kmCyEDzcShHQLdXlL_tfo8sPX8HG \
> xlAF3tByp9nhVB8mjDOK51gHqM5c8TRdmm92U2Uz6oeWvkfjgc714EO8iuPtBd1_QesziWIsrgRj065Gy-AC \
> mxTjSkJPi4U9ZwPEZK75TuMsV2fCXmkXEjBk6kLRHemm1C7XMGq33xC19DHPvdTo1_g&wid=44b64037-94d1-4f56-87cb-7eb09c3beaae
>
> Best regards,
> Jeff McCashland | Senior Escalation Engineer | Microsoft Protocol Open \
> Specifications Team
> Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific \
> Time (US and Canada) Local country phone number found here: \
> http://support.microsoft.com/globalenglish | Extension 1138300 We value your \
> feedback. My manager is Jeremy Chapman (jeremyc), +1 (469) 775-2475
> -----Original Message-----
> From: Jeff McCashland
> Sent: Wednesday, April 22, 2020 1:09 PM
> To: Isaac Boukris <iboukris@gmail.com>; Greg Hudson <ghudson@mit.edu>; Stefan \
> Metzmacher <metze@samba.org>; Andrew Bartlett <abartlet@samba.org>; \
> cifs-protocol@lists.samba.org
> Cc: support <support@mail.support.microsoft.com>
> Subject: RE: [REG:120042221001608] MS-KILE | Handling of more than one \
> AD-IF-RELEVANT in Windows
> [Bryan to BCC]
>
> Hi Isaac,
>
> I will assist you with this issue. Let me do some research and get back to you.
>
> Best regards,
> Jeff McCashland | Senior Escalation Engineer | Microsoft Protocol Open \
> Specifications Team
> Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific \
> Time (US and Canada) Local country phone number found here: \
> http://support.microsoft.com/globalenglish | Extension 1138300 We value your \
> feedback. My manager is Jeremy Chapman (jeremyc), +1 (469) 775-2475
> -----Original Message-----
> From: Bryan Burgin <bburgin@microsoft.com>
> Sent: Wednesday, April 22, 2020 9:03 AM
> To: Isaac Boukris <iboukris@gmail.com>; Greg Hudson <ghudson@mit.edu>; Stefan \
> Metzmacher <metze@samba.org>; Andrew Bartlett <abartlet@samba.org>; \
> cifs-protocol@lists.samba.org
> Cc: support <support@mail.support.microsoft.com>
> Subject: [REG:120042221001608] MS-KILE | Handling of more than one AD-IF-RELEVANT \
> in Windows
> Hi Isaac,
>
> Thank you for your question. We created SR 120042221001608 to track this issue. \
> An engineer will contact you soon.
> Bryan
>
> -----Original Message-----
> From: Isaac Boukris <iboukris@gmail.com>
> Sent: Wednesday, April 22, 2020 5:21 AM
> To: Interoperability Documentation Help <dochelp@microsoft.com>; Greg Hudson \
> <ghudson@mit.edu>; Stefan Metzmacher <metze@samba.org>; Andrew Bartlett \
> <abartlet@samba.org>; cifs-protocol@lists.samba.org
> Subject: [EXTERNAL] MS-KILE | Handling of more than one AD-IF-RELEVANT in Windows
>
> Hello dochelp,
>
> From many tests involving MS-PAC authorization data in a ticket, and recently by \
> testing authorization-data in the authenticator (ap-req), it appears as if Windows \
> would only handle the first AD-IF-RELEVANT element (RFC4120), and would ignore \
> additional ones when present.
> So if for instance a ticket has more than one AD-IF-RELEVANT element and the PAC is \
> wrapped in the second one, the server fails to handle the request. Same goes for \
> KERB_AP_OPTIONS_CBT in authenticator, I can see that it is not handled when it is \
> wrapped in a second AD-IF-RELEVANT.
> I wonder if this understanding is correct, if it is a known issue, if it is \
> documented anywhere, and whether this is planned to be fixed in future versions of \
> Windows.
> Thanks!
>
_______________________________________________
cifs-protocol mailing list
cifs-protocol@lists.samba.org
https://lists.samba.org/mailman/listinfo/cifs-protocol
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic