[prev in list] [next in list] [prev in thread] [next in thread]
List: cifs-protocol
Subject: [cifs-protocol] [MS-KILE] Authentication Policies and RODCs
From: Joseph Sutton via cifs-protocol <cifs-protocol () lists ! samba ! org>
Date: 2023-10-19 1:43:34
Message-ID: 9c616416-7d53-44fc-a8e8-5d101edba255 () samba ! org
[Download RAW message or body]
Hi dochelp,
[MS-KILE] 3.3.5.7, "TGS Exchange", states that if during a TGS Exchange
an Authentication Policy with ‘AllowedToAuthenticateTo' is in effect,
the user and device PACs must be used to perform an access check: if the
access check succeeds, a service ticket is issued to the client; if it
fails, the KDC returns KDC_ERR_POLICY.
However, I have found that Windows Server 2019, acting as a RWDC,
*always* returns KDC_ERR_POLICY if the client's TGT presented to the KDC
has been issued by an RODC.
If no ‘AllowedToAuthenticateTo' policy is enforced, or the client's TGT
has been issued by a RWDC, the TGS-REQ exchange is successful.
As far as I can tell, this behaviour — disallowing the combination of
authentication policies and RODC-issued tickets — is not documented
anywhere. Is matching this behaviour important for the correct and
secure operation of MS-KILE implementations? and if so, can it be
clearly documented in [MS-KILE]?
Regards,
Joseph
_______________________________________________
cifs-protocol mailing list
cifs-protocol@lists.samba.org
https://lists.samba.org/mailman/listinfo/cifs-protocol
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic