[prev in list] [next in list] [prev in thread] [next in thread]
List: cifs-protocol
Subject: Re: [cifs-protocol] [EXTERNAL] Re: GUI and AD LDAP settings required to enable FAST - TrackingID#210
From: Obaid Farooqi via cifs-protocol <cifs-protocol () lists ! samba ! org>
Date: 2021-04-29 17:31:59
Message-ID: SN6PR2101MB136034E2CB17FE2194CD84D3C65F9 () SN6PR2101MB1360 ! namprd21 ! prod ! outlook ! com
[Download RAW message or body]
Hi Andrew, Metze:
MS-KILE describes the following way to determine is realm supports FAST.
MS-KILE section " 3.2.5.4 Using FAST When the Realm Supports FAST" ( \
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-kile/1db3d89f-4eb6-4ca5-88c2-e4cc5097db86 \
) states that:
"
In addition to the RFC behavior ([RFC6113]), the Kerberos client SHOULD use the \
PA-SUPPORTED-ENCTYPES [165] structure (section 2.2.8) from the TGT obtained from a \
realm to determine if a realm supports FAST. 1. If the client does not have a TGT for \
the realm and is creating an: § AS-REQ: the client obtains a TGT for the computer \
principal from the user principal's domain. § TGS-REQ: the client obtains a referral \
TGT for the user principal for the target domain. § Compound identity TGS-REQ: the \
client obtains a user principal TGT and computer principal TGT for the target domain \
with the same key version numbers (section 3.1.5.8). If a TGT for the required \
principals cannot be obtained and RequireFAST is: § TRUE: the client fails the \
request. § FALSE: the client continues without FAST.
2. When processing the KRB_AS_REP or KRB_TGS_REP message, if the FAST-supported bit \
in the in PA-SUPPORTED-ENCTYPES [165] structure (section 2.2.8) of the TGT received \
in step 1 is: § Not set and RequireFAST is TRUE: the client fails the request.
§ Not set and RequireFAST is FALSE: the client continues without FAST.
§ Set: the client finds a DC that supports FAST and use FAST:
Locate a DS_BEHAVIOR_WIN2012 DC (section 3.2.5.3).
If a DS_BEHAVIOR_WIN2012 DC is not found and RequireFAST is:
§ TRUE: the client fails the request.
§ FALSE: the client continues without FAST.
If a DS_BEHAVIOR_WIN2012 DC is found, the client uses the TGT obtained in step 1 to \
armor the message it is creating ([RFC6113] sections 5.4.2, 5.4.3 and 5.4.4) to the \
DS_BEHAVIOR_WIN2012 DC. If the request fails without an authenticated Kerberos error \
message ([RFC6113] section 5.4.4) and RequireFAST is TRUE, then the client fails the \
request.
"
Please let me know if this does not answer your question.
Regards,
Obaid Farooqi
Escalation Engineer | Microsoft
-----Original Message-----
From: Jeff McCashland <jeffm@microsoft.com>
Sent: Tuesday, April 27, 2021 11:28 AM
To: metze <metze@samba.org>; Andrew Bartlett <abartlet@samba.org>
Cc: cifs-protocol mailing list <cifs-protocol@lists.samba.org>; gary@samba.org; Jeff \
McCashland <jeffm@microsoftsupport.com>
Subject: RE: [EXTERNAL] Re: [cifs-protocol] GUI and AD LDAP settings required to \
enable FAST - TrackingID#2104270040006933
[DocHelp to BCC, support on CC, SR ID on Subject]
Hi Andrew,
Thank you for engaging us. We have created SR 2104270040006933 to track this issue. \
One of our engineers will respond soon to assist.
Best regards,
Jeff McCashland | Senior Escalation Engineer | Microsoft Protocol Open Specifications \
Team
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific \
Time (US and Canada) Local country phone number found here: \
https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsupport.microsoft.com \
%2Fglobalenglish&data=04%7C01%7Cobaidf%40microsoft.com%7Ca6623bbf76cb4b167c6908d90 \
9998242%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637551377188884639%7CUnknown%7CTW \
FpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=WOdPusWTCB%2FwJWp23UPXtrGI1cvMIGVZQ0FpJmQwrcM%3D&reserved=0 \
| Extension 1138300 We value your feedback. My manager is Natesha Morrison \
(namorri), +1 (704) 430-4292
-----Original Message-----
From: metze <metze@samba.org>
Sent: Tuesday, April 27, 2021 3:41 AM
To: Andrew Bartlett <abartlet@samba.org>; Interoperability Documentation Help \
<dochelp@microsoft.com>
Cc: cifs-protocol mailing list <cifs-protocol@lists.samba.org>; gary@samba.org
Subject: [EXTERNAL] Re: [cifs-protocol] GUI and AD LDAP settings required to enable \
FAST
Am 27.04.21 um 11:38 schrieb Andrew Bartlett:
> On Tue, 2021-04-27 at 10:18 +0200, Stefan Metzmacher via cifs-protocol
> wrote:
> >
> >
> > I uploaded the captures here:
> > https://nam06.safelinks.protection.outlook.com/?url=https:%2F%2Fwww.s
> > amba.org%2F~metze%2Fpresentations%2F2020%2FSambaXP%2Fcaptures%2Ffast&
> > amp;data=04%7C01%7Cobaidf%40microsoft.com%7Ca6623bbf76cb4b167c6908d90
> > 9998242%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C6375513771888846
> > 39%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTi
> > I6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=2I9uhApvipTNPrNoVlGsHOG6x73
> > 8%2BJUxKZfmdatxZSA%3D&reserved=0
> > / I guess this was the one that finally worked:
> > w2012r2-189-logon-FAST-administrator-w2012r2-l6.base-try-13-client-
> > compound-first-kdc-enabled-compound.pcap.gz
> > wireshark >= 3.3.0 should be able to decrypt and dissect everything
> > using
> > w2012r2-l6.base.keytab.20200422
>
> Thanks so much metze.
>
> Looking at packets 133 -> 156 I think I find the issue Gary was
> having, which is that it looks like the Windows KDC doesn't advertise
> PA-FX- FAST in an AS-REQ PREAUTH_REQUIRED error (RFC 6113 5.4.2).
>
> Dochelp,
>
> Is my understanding correct? Do clients just need to know out-of-band
> that FAST should be used? Is there any other easy way to tell that
> FAST is configured correctly and operating?
I guess the client gets it from encrypted-pa-data of frame 125, as the response to \
the initial AS-REQ as machine account. This maybe together with its applied computer \
GPO's...
But lets see what dochelp finds...
metze
_______________________________________________
cifs-protocol mailing list
cifs-protocol@lists.samba.org
https://lists.samba.org/mailman/listinfo/cifs-protocol
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic