[prev in list] [next in list] [prev in thread] [next in thread]
List: cifs-protocol
Subject: Re: [cifs-protocol] [EXTERNAL] [MS-KILE] Authentication Policies and RODCs - TrackingID#231019004000
From: "Jeff McCashland \(He/him\) via cifs-protocol" <cifs-protocol () lists ! samba ! org>
Date: 2023-12-08 23:10:14
Message-ID: MN0PR21MB370181257A16BBC29D285F12A38AA () MN0PR21MB3701 ! namprd21 ! prod ! outlook ! com
[Download RAW message or body]
Hi Joseph,
We have updated [MS-KILE] for the next release to address this issue:
3.3.5.7 TGS Exchange
[...]
If domainControllerFunctionality returns a value >= 6 ([MS-ADTS] section \
3.1.1.3.2.25) and the account is not also the application service account, the KDC \
MUST determine whether an Authentication Policy is applied to the server or service \
(section 3.3.5.5); if Enforced is TRUE then:<67> § If AllowedToAuthenticateTo is not \
NULL, the PAC of the user and the PAC of the armor TGT MUST be used to perform an \
access check for the ACTRL_DS_CONTROL_ACCESS right against the \
AllowedToAuthenticateTo. If the access check fails, the KDC MUST return \
KDC_ERR_POLICY. [added:]
§ If the TGT is issued by a read-only Domain Controller (RODC) (section 3.3.5.7.7), \
the KDC MUST reject the request and return KDC_ERR_POLICY. Clients SHOULD send an \
AS-REQ to a full DC with PA-PAC-OPTIONS [167] (section 2.2.10) padata type with the \
Branch Aware bit set to the TGS REQ (section 3.2.5.7).
Best regards,
Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Protocol Open \
Specifications Team
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific \
Time (US and Canada) Local country phone number found here: \
http://support.microsoft.com/globalenglish | Extension 1138300
-----Original Message-----
From: Jeff McCashland (He/him)
Sent: Wednesday, November 1, 2023 1:28 PM
To: Joseph Sutton <jsutton@samba.org>; cifs-protocol@lists.samba.org
Subject: RE: [EXTERNAL] [MS-KILE] Authentication Policies and RODCs - \
TrackingID#2310190040000616
[-support]
Hi Joseph,
In regards to your question on whether the behavior is important for implementation:
It is important that the RODC PAC is not used to evaluate policy, that may be \
dangerous and must not happen.
Your options are to:
1. Fail the request as we do
2. Generate a PAC locally for the incoming RODC and evaluate policy against that
Best regards,
Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Protocol Open \
Specifications Team
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific \
Time (US and Canada) Local country phone number found here: \
http://support.microsoft.com/globalenglish | Extension 1138300
-----Original Message-----
From: Joseph Sutton <jsutton@samba.org>
Sent: Monday, October 30, 2023 3:43 PM
To: Jeff McCashland (He/him) <jeffm@microsoft.com>; cifs-protocol@lists.samba.org
Cc: Microsoft Support <supportmail@microsoft.com>
Subject: Re: [EXTERNAL] [MS-KILE] Authentication Policies and RODCs - \
TrackingID#2310190040000616
Thank you, that’s what I was looking to know.
Regards,
Joseph
On 31/10/23 11:36 am, Jeff McCashland (He/him) wrote:
> Hi Joseph,
>
> I was able to debug the time travel trace, and determined the cause of failure. It \
> appears that an RODC PAC cannot be used for an access check.
> Best regards,
> Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft
> Protocol Open Specifications Team
> Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone:
> (UTC-08:00) Pacific Time (US and Canada) Local country phone number
> found here:
> https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsuppo
> rt.microsoft.com%2Fglobalenglish&data=05%7C01%7Cjeffm%40microsoft.com%
> 7C3f7b5a2b54034d7cb22d08dbd999a5bd%7C72f988bf86f141af91ab2d7cd011db47%
> 7C1%7C0%7C638343026185515950%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwM
> DAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdat
> a=W65vZYq%2FNLQ30ZjDBbpVwj3N9EX%2BWpplyn9whjEITLY%3D&reserved=0 |
> Extension 1138300
>
> -----Original Message-----
> From: Jeff McCashland (He/him)
> Sent: Tuesday, October 24, 2023 9:56 AM
> To: Joseph Sutton <jsutton@samba.org>; cifs-protocol@lists.samba.org
> Cc: Microsoft Support <supportmail@microsoft.com>
> Subject: RE: [EXTERNAL] [MS-KILE] Authentication Policies and RODCs -
> TrackingID#2310190040000616
>
> Hi Joseph,
>
> Thank you for uploading the traces. I will analyze them and get back to you.
>
> Best regards,
> Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft
> Protocol Open Specifications Team
> Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone:
> (UTC-08:00) Pacific Time (US and Canada) Local country phone number
> found here:
> https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsuppo
> rt.microsoft.com%2Fglobalenglish&data=05%7C01%7Cjeffm%40microsoft.com%
> 7C3f7b5a2b54034d7cb22d08dbd999a5bd%7C72f988bf86f141af91ab2d7cd011db47%
> 7C1%7C0%7C638343026185523109%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwM
> DAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdat
> a=qKYvLwvv4j7oBZcXdqn6X6oMo7Qq1RdnuaFerkKI6a4%3D&reserved=0 |
> Extension 1138300
>
> -----Original Message-----
> From: Joseph Sutton <jsutton@samba.org>
> Sent: Monday, October 23, 2023 5:49 PM
> To: Jeff McCashland (He/him) <jeffm@microsoft.com>;
> cifs-protocol@lists.samba.org
> Cc: Microsoft Support <supportmail@microsoft.com>
> Subject: Re: [EXTERNAL] [MS-KILE] Authentication Policies and RODCs -
> TrackingID#2310190040000616
>
> Hi,
>
> I’ve uploaded a trace of a Kerberos TGS exchange with a TGT issued by an RODC \
> krbtgt and with an authentication policy enforced. In response to the TGS-REQ I \
> expect to get a TGS-REP, but, as the trace shows, I get a KDC_ERR_POLICY error \
> instead.
> Regards,
> Joseph
>
> On 20/10/23 11:50 am, Jeff McCashland (He/him) wrote:
> > Hi Joseph,
> >
> > To debug this issue, I need to collect an LSASS TTT trace. I have created a file \
> > transfer workspace for exchanging files related to this issue (link below).
> > The LSASS traces can be quite large, but are highly compressible, so please add \
> > them to a .zip archive before uploading (file transfer workspace credentials are \
> > below). Please log into the workspace and find PartnerTTDRecorder_x86_x64.zip \
> > available for download. The x64 tool can be staged onto the Windows server in any \
> > location (instructions below assume C:\TTD).
> > To collect the needed traces:
> > 1. From a PowerShell prompt, execute:
> > C:\TTD\tttracer.exe -Attach ([int](Get-Process -NAME lsass | Format-Wide \
> > -Property ID).formatEntryInfo.formatPropertyField.propertyValue) 2. Wait for a \
> > little window to pop up in top left corner of your screen, titled “lsass01.run” \
> > 3. start a network trace using netsh or WireShark, etc. 4. Repro the attempted \
> > operation 5. Stop the network trace and save it
> > 6. CAREFULLY: uncheck the checkbox next to “Tracing” in the small “lsass01.run” \
> > window. Do not close or exit the small window or you will need to reboot. 7. The \
> > TTTracer.exe process will generate a trace file, then print out the name and \
> > location of the file. Compress the *.run file into a .zip archive before \
> > uploading with the matching network trace. It is a good idea to reboot the \
> > machine at the next opportunity to restart the lsass process.
> > Workspace credentials:
> > Log in as 2310190040000616_joseph@dtmxfer.onmicrosoft.com
> > 1-Time: 9dx_7ndz
> >
> > Workspace link:
> > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsup
> > p%2F&data=05%7C01%7Cjeffm%40microsoft.com%7C3f7b5a2b54034d7cb22d08dbd
> > 999a5bd%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C6383430261855283
> > 07%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTi
> > I6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Y8cpxgtPQ1EHKpg4nV9eeL
> > p9IBnkR98Pb23Wd1ps4Q4%3D&reserved=0
> > ort.microsoft.com%2Ffiles%3Fworkspace%3DeyJ0eXAiOiJKV1QiLCJhbGciOiJSU
> > z
> > I1NiJ9.eyJ3c2lkIjoiNWQ2YjE2MzgtYzU5Ni00N2ZhLTkxNDQtN2QzMzMzNmJmNTlhIi
> > w
> > ic3IiOiIyMzEwMTkwMDQwMDAwNjE2IiwiYXBwaWQiOiI0ZTc2ODkxZC04NDUwLTRlNWUt
> > Y
> > mUzOC1lYTNiZDZlZjIxZTUiLCJzdiI6InYxIiwicnMiOiJFeHRlcm5hbCIsInd0aWQiOi
> > J
> > mNDdhMTY0ZS1jYjFiLTQ2MGQtYjczZS03YWZmZDEwY2Q0YTAiLCJpc3MiOiJodHRwczov
> > L
> > 2FwaS5kdG1uZWJ1bGEubWljcm9zb2Z0LmNvbSIsImF1ZCI6Imh0dHA6Ly9zbWMiLCJleH
> > A
> > iOjE3MDU1MzEzMzIsIm5iZiI6MTY5Nzc1NTMzMn0.U82nOV5WR7AK7pNvLhlCsTkcMPfZ
> > V
> > 9NouoJlJQYbNJeQQ3w5XBrCsAxLolvtXVt85zVs6YDkmF4gN2NxH2GW4DP46UsENY1-Qg
> > 4
> > RQ3omGdfy4aqTOprhdzBdDegmq0IDCnz_dB862F_fzkiMtyuMoACCPGFpnufedw5X4a8I
> > V
> > SfdST9enEREWlH1TQHE7KsWKgvJ7aPydEdYoOUDatQ1annMYfhbGttsrXXZfbsSlc1-l5
> > j
> > hGPs9RtGqpgzycy3m9VftAbGjpz4em-_nFAADznArzn4dnIitRjH2zulc-fQRCraq6cgw
> > K
> > J6BJrxh9BE_4Qq7xjXP4EsSMcB40wE8Kg%26wid%3D5d6b1638-c596-47fa-9144-7d3
> > 3
> > 336bf59a&data=05%7C01%7Cjeffm%40microsoft.com%7Cd2df6639c0f2400841be0
> > 8
> > dbd42b0baf%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C6383370535932
> > 9
> > 2016%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJB
> > T
> > iI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=HP0vNpnaAV3ThmBh%2FoK
> > Y
> > aZ3ae5ZwfG1weaghACVYfZQ%3D&reserved=0
> >
> > Best regards,
> > Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft
> > Protocol Open Specifications Team
> > Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone:
> > (UTC-08:00) Pacific Time (US and Canada) Local country phone number
> > found here:
> > https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsupp
> > o%2F&data=05%7C01%7Cjeffm%40microsoft.com%7C3f7b5a2b54034d7cb22d08dbd
> > 999a5bd%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C6383430261855321
> > 67%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTi
> > I6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=EfTIGsB00OBJwWsBuOGgGa
> > d%2BrUKKvB%2BgZyk9sU5KmS0%3D&reserved=0
> > rt.microsoft.com%2Fglobalenglish&data=05%7C01%7Cjeffm%40microsoft.com
> > %
> > 7Cd2df6639c0f2400841be08dbd42b0baf%7C72f988bf86f141af91ab2d7cd011db47
> > %
> > 7C1%7C0%7C638337053593302820%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAw
> > M
> > DAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sda
> > t
> > a=klokoLuopKUqNnv7a4km5xKm3HvBVccLEHIWkByzKlo%3D&reserved=0 |
> > Extension 1138300
> >
> > -----Original Message-----
> > From: Jeff McCashland (He/him)
> > Sent: Thursday, October 19, 2023 10:01 AM
> > To: Joseph Sutton <jsutton@samba.org>; cifs-protocol@lists.samba.org
> > Cc: Microsoft Support <supportmail@microsoft.com>
> > Subject: RE: [EXTERNAL] [MS-KILE] Authentication Policies and RODCs -
> > TrackingID#2310190040000616
> >
> > Hi Joseph,
> >
> > I will research your issue and get back to you.
> >
> > Best regards,
> > Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft
> > Protocol Open Specifications Team
> > Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone:
> > (UTC-08:00) Pacific Time (US and Canada) Local country phone number
> > found here:
> > https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsupp
> > o%2F&data=05%7C01%7Cjeffm%40microsoft.com%7C3f7b5a2b54034d7cb22d08dbd
> > 999a5bd%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C6383430261855359
> > 29%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTi
> > I6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=s4CKP2QCLwsMv5AaneONyM
> > BjuNtvUtx2JSgmfjjHdcw%3D&reserved=0
> > rt.microsoft.com%2Fglobalenglish&data=05%7C01%7Cjeffm%40microsoft.com
> > %
> > 7Cd2df6639c0f2400841be08dbd42b0baf%7C72f988bf86f141af91ab2d7cd011db47
> > %
> > 7C1%7C0%7C638337053593308176%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAw
> > M
> > DAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sda
> > t
> > a=co7GonF9LAU7bMkiJsT4roGw1FtCCbGIrgrgsqWCnBs%3D&reserved=0 |
> > Extension 1138300
> >
> > -----Original Message-----
> > From: Jeff McCashland (He/him)
> > Sent: Wednesday, October 18, 2023 6:52 PM
> > To: Joseph Sutton <jsutton@samba.org>; cifs-protocol@lists.samba.org
> > Cc: Microsoft Support <supportmail@microsoft.com>
> > Subject: RE: [EXTERNAL] [MS-KILE] Authentication Policies and RODCs -
> > TrackingID#2310190040000616
> >
> > [DocHelp to BCC, support on CC, SR ID on Subject]
> >
> > Hi Joseph,
> >
> > Thank you for your email. We have created SR 2310190040000616 to track this \
> > issue. One of our engineers will respond soon.
> > Best regards,
> > Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft
> > Protocol Open Specifications Team
> > Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone:
> > (UTC-08:00) Pacific Time (US and Canada) Local country phone number
> > found here:
> > https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsupp
> > o%2F&data=05%7C01%7Cjeffm%40microsoft.com%7C3f7b5a2b54034d7cb22d08dbd
> > 999a5bd%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C6383430261855396
> > 63%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTi
> > I6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=yP%2F2sPvROp50xSP43Ahj
> > G%2BcJyxZ2k3QE0kgYNMVKqGY%3D&reserved=0
> > rt.microsoft.com%2Fglobalenglish&data=05%7C01%7Cjeffm%40microsoft.com
> > %
> > 7Cd2df6639c0f2400841be08dbd42b0baf%7C72f988bf86f141af91ab2d7cd011db47
> > %
> > 7C1%7C0%7C638337053593312064%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAw
> > M
> > DAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sda
> > t
> > a=DLIBS5nA9hhCc9Hf21UgymI2%2FwQoFRadqEBz54UYQwc%3D&reserved=0 |
> > Extension 1138300
> >
> > -----Original Message-----
> > From: Joseph Sutton <jsutton@samba.org>
> > Sent: Wednesday, October 18, 2023 6:44 PM
> > To: cifs-protocol@lists.samba.org; Interoperability Documentation
> > Help <dochelp@microsoft.com>
> > Subject: [EXTERNAL] [MS-KILE] Authentication Policies and RODCs
> >
> > [Some people who received this message don't often get email from
> > jsutton@samba.org. Learn why this is important at
> > https://aka.ms/LearnAboutSenderIdentification ]
> >
> > Hi dochelp,
> >
> > [MS-KILE] 3.3.5.7, “TGS Exchange”, states that if during a TGS Exchange an \
> > Authentication Policy with ‘AllowedToAuthenticateTo’ is in effect, the user and \
> > device PACs must be used to perform an access check: if the access check \
> > succeeds, a service ticket is issued to the client; if it fails, the KDC returns \
> > KDC_ERR_POLICY.
> > However, I have found that Windows Server 2019, acting as a RWDC,
> > *always* returns KDC_ERR_POLICY if the client’s TGT presented to the KDC has been \
> > issued by an RODC.
> > If no ‘AllowedToAuthenticateTo’ policy is enforced, or the client’s TGT has been \
> > issued by a RWDC, the TGS‐REQ exchange is successful.
> > As far as I can tell, this behaviour — disallowing the combination of \
> > authentication policies and RODC‐issued tickets — is not documented anywhere. Is \
> > matching this behaviour important for the correct and secure operation of MS-KILE \
> > implementations? and if so, can it be clearly documented in [MS-KILE]?
> > Regards,
> > Joseph
_______________________________________________
cifs-protocol mailing list
cifs-protocol@lists.samba.org
https://lists.samba.org/mailman/listinfo/cifs-protocol
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic