RetroBBS - comp.protocols.kerberos - RE: Question about Windows S4U support

RE: Question about Windows S4U support

<mailman.51.1699637403.2263420.kerberos@mit.edu>

https://www.rocksolidbbs.com/devel/article-flat.php?id=429&group=comp.protocols.kerberos#429

copy link Newsgroups: comp.protocols.kerberos

Path: i2pn2.org!i2pn.org!eternal-september.org!feeder2.eternal-september.org!eternal-september.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: jjli@rocketsoftware.com (JianJun Li)
Newsgroups: comp.protocols.kerberos
Subject: RE: Question about Windows S4U support
Date: Fri, 10 Nov 2023 09:21:44 +0000
Organization: TNet Consulting
Lines: 45
Message-ID: <mailman.51.1699637403.2263420.kerberos@mit.edu>
References: <DM6PR07MB4651D6917435E9AF74528364BBA8A@DM6PR07MB4651.namprd07.prod.outlook.com>
<5dc6e95e-a862-4cbb-82ef-3d7b9f2af17a@mit.edu>
<DM6PR07MB4651EB536FEC010024DAB87ABBAEA@DM6PR07MB4651.namprd07.prod.outlook.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="8234"; mail-complaints-to="newsmaster@tnetconsulting.net"
To: Greg Hudson <ghudson@mit.edu>, "kerberos@mit.edu" <kerberos@mit.edu>
DKIM-Filter: OpenDKIM Filter v2.11.0 unknown-host (unknown-jobid)
Authentication-Results: mailman.mit.edu;
dkim=pass (1024-bit key, unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=GLjFQGlA;
dkim=pass (1024-bit key,
unprotected) header.d=rocketsoftware.com header.i=@rocketsoftware.com
header.a=rsa-sha256 header.s=mimecast20200430 header.b=aL4gQdqr
Authentication-Results: mit.edu; dmarc=pass (p=none dis=none)
header.from=rocketsoftware.com
Authentication-Results: mit.edu; arc=pass smtp.remote-ip=18.9.3.17
ARC-Seal: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1699608117; cv=pass;
b=qENT9g5xmj/uFZPlZT5tCAp9nTavCVdZxFBiuu8JkpS0Kb9fRZ7fNaNDEA8P1HO1kB5EmdlS3nHSVSvVOAaZ4kDa3EiN451n/WZlAAM1fFHTfubzld2mWMPAr42PgaCbz5Y5F0RDruGBKpEvGVpmew0OPxu0VMOpasGp7z250eQjenKdH8uRRRPbMFImwm19vmvuxWjWzO8N15ya7E3tTSJcGUpu3I88cpLOXLHpBFlHAW+fSpki8ejc+GBKtm0hyBoDWHHfE/32CclXxq/8l9ntItfJX8+fkustDKHdmFxw34lZKFj3/pZrupuc7YodM6NJBCkF7WoDpNyAO8m6oA==
ARC-Message-Signature: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1699608117;
c=relaxed/relaxed; bh=afGaAlg0YWxfTt68EGcJIXKUYD/VoR+XRySbn1aP0kw=;
h=From:Subject:Date:Message-ID:MIME-Version:Content-Type;
b=W/sS/9nG12lV2JtZRIzLSIXoAHGV6KxvMh/OgTIg5lqd70txAspD4jVpQTX2NEjBXOaMNZTd/V9n7LKMNmjvRy+VzOotrFQEbgIhXQtCMMEfrQxxMyBq1TYLC9fAD65DtQUVuaR4T6+4skdy/xUSPYkFPrGxsA9VRxT2X/OwClyHYYwn6ZwiXfSCXgVZJQN++EnYwS+DZ9QsH9mKPzY+mD7pL4nxx98I6QYyzNmn0An7IxKLQUTMV36uvTrlvWelVj7bKTAp1/igO0iSOPMr9dYRiQj9YXfXC46HDXAbZLUA7KqnKNkYufD96mlhW+LkeSCY40u7JkuLMjnj245l4A==
ARC-Authentication-Results: i=2; mit.edu; dkim=pass (1024-bit key;
unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=GLjFQGlA;
dkim=pass (1024-bit key;
unprotected) header.d=rocketsoftware.com header.i=@rocketsoftware.com
header.a=rsa-sha256 header.s=mimecast20200430 header.b=aL4gQdqr
Authentication-Results: mit.edu; dkim=pass (1024-bit key;
unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=GLjFQGlA;
dkim=pass (1024-bit key;
unprotected) header.d=rocketsoftware.com header.i=@rocketsoftware.com
header.a=rsa-sha256 header.s=mimecast20200430 header.b=aL4gQdqr
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=e1NfT/h0kiOk5EYJ/8JnhWJqNczmDV0mrYOgsolbqb9sPLyUcQ6l2Zze7auNqXmHweXZHZZQtA9r3RFioHNS48YnCGyMaVb3dnr9EYCADpa7sXWGWnjMAVxZ96cAmGAnyKxUf5vqje7+bO+HI681Ag0hthKlhRArs9us5igNagTxNDLNVYx2n3qe3TKVmovD+BVvTdiWmFpogcO6HL0qIaIfp9JJj9/HpndE5NfkkQ+yOp8wSpLeSkQhpOGY3EGlezFoOdGot/tyBqS1a1i6Lmcf2AyeODAGV2cWZRo1dEQsUKWatqXBh7FXsadppt/IPKOWOWHmsgRhQniml3rYdg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=afGaAlg0YWxfTt68EGcJIXKUYD/VoR+XRySbn1aP0kw=;
b=TtAFQd+4hnnYt7PFzDPIQe4OLt3EfVacHFpKWeXqovG1NIHEDBLj42mOsf3Dy6hHjpZR1EepyCzl3pqDjTzp98k4xcARwjg8W7RC6Mq9G2bqTF5oUzazx1WbEjl1Sq5rFms/04YiBVjN+s10UB3hJbozC0KWA7S8s034Zg345BDpzVqIM61hQfbFNJMaefzftT1Z+UYJ/axzM5j7s5befVeXm8crZphjV0XuP/F4Nz+ZPa//tWgzH1tQmZGnEoRdAQNHyOeb5gs2Eb/yUw3FXPgAUdjIDPDBKnwJo6T87O+sMOwMGRL2Z36EwrmPSi7X1jN6FFrWPFms/HfiL9lMpw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
170.10.129.127) smtp.rcpttodomain=mit.edu smtp.mailfrom=rocketsoftware.com;
dmarc=pass (p=none sp=none pct=100) action=none
header.from=rocketsoftware.com; dkim=pass (signature was verified)
header.d=rocketsoftware.com; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=afGaAlg0YWxfTt68EGcJIXKUYD/VoR+XRySbn1aP0kw=;
b=GLjFQGlAX6Ff5MiP6n2cajawGGeju1Oil9MN7F2050vvl5vC2Ip5L6MmMhCDXOGcno6t59ytXIchS2jFz9CPVB6D16ZCKgSkKLR4QwI0oICdtGdkI52NFHgbO05ZTQpnCh/Cl36VdEVidCKZcfaUdJ0lCq0b7oipMI9D78hXDiA=
Authentication-Results: spf=pass (sender IP is 170.10.129.127)
smtp.mailfrom=rocketsoftware.com; dkim=pass (signature was verified)
header.d=rocketsoftware.com;dmarc=pass action=none
header.from=rocketsoftware.com;
Received-SPF: Pass (protection.outlook.com: domain of rocketsoftware.com
designates 170.10.129.127 as permitted sender)
receiver=protection.outlook.com; client-ip=170.10.129.127;
helo=us-smtp-delivery-127.mimecast.com; pr=C
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rocketsoftware.com;
s=mimecast20200430; t=1699608112;
h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
to:to:cc:mime-version:mime-version:content-type:content-type:
content-transfer-encoding:content-transfer-encoding:
in-reply-to:in-reply-to:references:references;
bh=afGaAlg0YWxfTt68EGcJIXKUYD/VoR+XRySbn1aP0kw=;
b=aL4gQdqreaooNiGYif9pPoQ72/T5mxEE13eqoNjoPI9G6VHNP6PtaU8Usctb4/tOmUnWcC
zV8uYJDdU3pPYXk3ZT5aK100S/WFIZ/MTjQsc+hFSX7mBkVAN8eozGgmu0lVVhRp5H9xlF
XmeMKDnba1WhmjXMK0+wuG7VqNDhIYg=
X-MC-Unique: _L3rtseyOA2RebLxnCljQw-1
Thread-Topic: Question about Windows S4U support
Thread-Index: AdoSLbm8LH8Wv1KmSUy58Exoj8p1YgBMHtkAABTXBLA=
In-Reply-To: <5dc6e95e-a862-4cbb-82ef-3d7b9f2af17a@mit.edu>
Accept-Language: zh-CN, en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-traffictypediagnostic: DM6PR07MB4651:EE_|PH0PR07MB8397:EE_|BL6PEPF0001AB77:EE_|CYYPR01MB8568:EE_
X-MS-Office365-Filtering-Correlation-Id: 3f08bcaa-cb4e-41a9-e05c-08dbe1ce79f9
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam-Untrusted: BCL:0
X-Microsoft-Antispam-Message-Info-Original: hZkWoERjBus9dxRG8L7SYzRgoeW/umEH81iTLITM7+NvZUsS2t6jYRixPMk11RoM7BJimvvDrka5Ofy76OBq4Sbm+BWsyc4105b+hoDAM3jsPp30jHCj6jeCJ8CcS3TzsgIZVWsAQkILg9YQtUuH9N+UxXQuxKdlIXqjoJYb1XS1FV9d3NRRqWoXsX+cQeb4V2GtGHdtaJkUGjVpgyjQ6twdujV7FOlGBlU1AwokuvcXNSbnNe7GZaO3F+IhDt0e3Lj0ZzupKQddPNh29KhkE1XFqedu4a0IiQDs4JkhiZ1ltUt4rxtJkmyLd+IZxDDQBi/eP4Ep3naFHeIiKXb+zRGNEBFAMzdx3/vkFYlFL7VQ0HOhsoSXZqYacQ10L3MiizeBmQhZkMSaQucUkiLi4qjQZb0s/Cpu10sVgVtAFYLvWyma2RMJO3Aq/RaBlDOrye9lmvYId/34vOJ8QIGJvVpA+Lu8/z+N2ImjiV0jsIH3JcETW9OGrlJC/hIkQi26kPh3+5bAxMPkGMnpO/Bleaw/IBABGYhr7Mgf3rirFS4X4zCOPZYV5q+U7+UajxmBDi311yOUL6yw5UDQzUctaTwR0acn2aNWCfTZQvztm8YVyOzdaIlzToUd0tBPbrx8jU2bp2A5a1zhfTPZfkB7+bP2YApk4pRn5iviKbSByRM=
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en;
SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR07MB4651.namprd07.prod.outlook.com;
PTR:; CAT:NONE;
SFS:(13230031)(346002)(366004)(136003)(39860400002)(396003)(376002)(230173577357003)(230922051799003)(230273577357003)(186009)(1800799009)(64100799003)(451199024)(45080400002)(6506007)(7696005)(53546011)(71200400001)(83380400001)(38100700002)(55016003)(9686003)(8676002)(66899024)(122000001)(40140700001)(2906002)(41300700001)(86362001)(5660300002)(8936002)(52536014)(450100002)(66476007)(76116006)(316002)(33656002)(110136005)(66556008)(66446008)(64756008)(66946007)(26005)(966005)(478600001)(38070700009);
DIR:OUT; SFP:1101
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR07MB8397
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: rocketsoftware.com
Content-Language: en-US
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: BL6PEPF0001AB77.namprd02.prod.outlook.com
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id-Prvs: cef9f1c8-117c-481b-ebdf-08dbe1ce7525
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: ZvvArYeWphDunA0iW618ENGs6Qbrg+BkhAho/NxBtgDK6698SpamBLRpjn9ATEeFQcuvbjAmejzh2XGZiEz52iC4kEKnLe8JwVVHMnDGYAyHxhocGoZimzoh4jJtscCLP3dc1EBL+xnPoH+vbdiVOsg8Xtif6Z/gIkjovBxPZ5iml9Ye5gcGjOVqTULdAWMggZpaL3/G7yejkzNp8Tw9E7tF8fWpxu8OTN6fdYmCm37MUYMyZcjA/M3Lk6LdpM6j3kEVFkct6q+di2J76WeGks+rJmQOID6VJ8JgoRKnWWf66fg/9r0jEU9Gmgn3wV7pn5KI43N9QWxVGQSAgqPljlFhecNtQ0Su5MiPo0tgsjzrNvUHcGySZvxvScSptkEm5FEvkqkZG0M1bRKptzdQqg7egGEJ1M90fomKMPWgkVtnBOL8PvlPRyN6fcPHm9pJtUKaA16MFmVvP9l/ch/1L0krsR6E3FX7kcUPsWZ3dxTcUqfTw0QW+qnK5fgXnGjF4LDmvMy5eyFwDfJ3mNH7/QTQELdrAwWQWyOzRo6iCEMrVEBvri7FWied6mFrtrn/kcTPzgiwVG6TVRNj4wCE+b58R5HD6B7BeU+MmuC7XwAgo+CiDVOfBQD3hWKCQlb/ooiooWB+1WnchQGi9GCRO4/yAjjDpIjWNxl5yozd+O+0IgK9QxTYjvE8q+PvLrrpbCMe1evfH90OrCMq99AkpnpiMynk+h8uCzLKpm6FzIHSogh1CvbM2ezpsZZ0o8p8ucGzV0TuoZwVLUk5SeFTqg==
X-Forefront-Antispam-Report: CIP:170.10.129.127; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:us-smtp-delivery-127.mimecast.com;
PTR:us-smtp-delivery-127.mimecast.com; CAT:NONE;
SFS:(13230031)(4636009)(39860400002)(136003)(376002)(396003)(346002)(230273577357003)(230173577357003)(451199024)(48200799006)(64100799003)(61400799006)(2906002)(66899024)(55016003)(7696005)(26005)(6506007)(336012)(53546011)(9686003)(7636003)(356005)(7596003)(40140700001)(33656002)(966005)(86362001)(52536014)(5660300002)(498600001)(70586007)(8676002)(45080400002)(786003)(83380400001)(316002)(110136005)(68406010);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 10 Nov 2023 09:21:52.8363 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 3f08bcaa-cb4e-41a9-e05c-08dbe1ce79f9
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: BL6PEPF0001AB77.namprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CYYPR01MB8568
X-OriginatorOrg: mitprod.onmicrosoft.com
X-MIME-Autoconverted: from base64 to 8bit by mailman.mit.edu id 3AA9LwoV2201130
X-Mailman-Approved-At: Fri, 10 Nov 2023 12:30:01 -0500
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <DM6PR07MB4651EB536FEC010024DAB87ABBAEA@DM6PR07MB4651.namprd07.prod.outlook.com>
X-Mailman-Original-References: <DM6PR07MB4651D6917435E9AF74528364BBA8A@DM6PR07MB4651.namprd07.prod.outlook.com>
<5dc6e95e-a862-4cbb-82ef-3d7b9f2af17a@mit.edu>

by: JianJun Li - Fri, 10 Nov 2023 09:21 UTC

Thanks for the reply. One strange thing is that when Windows is using AD domain, sname doesn't have this format: host/win11client.mylab.com but win11client$. I have no idea what makes Windows have this difference.

For PAC validation error, I also can't get more detailed information from Windows logging what causes the validation failure.

-----Original Message-----
From: Greg Hudson <ghudson@mit.edu>
Sent: Friday, November 10, 2023 6:44 AM
To: JianJun Li <jjli@rocketsoftware.com>; kerberos@mit.edu
Subject: Re: Question about Windows S4U support

EXTERNAL EMAIL

On 11/8/23 09:23, JianJun Li wrote:
> In fact, principle "host/win11client.mylab.com@MYLAB.COM" exists. By Wireshark I can see Windows sends "host/win11client.mylab.com@MYLAB.COM" as sname, KDC converts the sname to host\/win11client.mylab.com@MYLAB.COM.
> I have a look at the code but find no parameters or setting can change this behavior.

I can give a detailed but ultimately not very helpful answer:

As Ken explained in part, the wire representation of principals in Kerberos is the ASN.1 DER encoding of a name-type and a sequence of strings. Microsoft created a name type NT-ENTERPRISE which puts an email-address-like string in the first string element. When you see "host\/..." in your log, that is the MIT krb5 library's string representation of an NT-ENTERPRISE principal.

RFC 6806 section 5 describes this name type as conveying alias names, to be used in the client field of an AS-REQ to a KDC with a directory service that can map email addresses to canonical principal names.
However, Microsoft's implementation now also uses this type in server names during under some circumstances, including some S4U operations.
[MS-KILE] 3.3.5.1.1 defines semantics for server name lookup of NT-ENTERPRISE principals (in terms of underlying facilities specific to Active Directory); [MS-SFU] unfortunately does not seem to say precisely when they are used. I had thought they were only used for cross-realm S4U2Self operations where it is necessary to communicate the requesting service's realm to the client realm, but based on your log it sounds like they are also used for same-realm S4U2Self requests made by Windows clients.

Although MIT krb5 has S4U2Self and S4U2Proxy logic in the KDC code, it does not implement NT-ENTERPRISE lookup. The translation from NT-ENTERPRISE {"host/win11client.mylab.com@MYLAB.COM"} to NT-PRINCIPAL {"host", "win11client.mylab.com"} currently has to be done within the KDB layer, either by using an encompassing piece of software with a KDB module (such as Samba), or by setting up an explicit alias in the LDAP KDB module (the BDB and LMDB modules do not support aliases). I believe the situation could be improved by performing this translation within the KDC for TGS service lookups, but that improvement, although simple in concept, would require careful testing.

> The digitally signed Privilege Attribute Certificate (PAC) that contains the authorization information for client user in realm MYLAB.COM could not be validated.
> This error is usually caused by domain trust failures; Contact your system administrator.

I don't know exactly what is causing this error on the Windows side, especially if it only happens some of the time. I will note that when used with any of the built-in KDB modules (BDB, LMDB, or LDAP), MIT krb5's KDC includes a minimal PAC with no SID or group information.
Encompassing software such as Samba is required to supply a complete PAC within issued tickets. This limitation may be unrelated to the error given that the error does not always occur.

================================
Rocket Software, Inc. and subsidiaries ■ 77 Fourth Avenue, Waltham MA 02451 ■ Main Office Toll Free Number: +1 855.577.4323
Contact Customer Support: https://my.rocketsoftware.com/RocketCommunity/RCEmailSupport
Unsubscribe from Marketing Messages/Manage Your Subscription Preferences - http://www.rocketsoftware.com/manage-your-email-preferences
Privacy Policy - http://www.rocketsoftware.com/company/legal/privacy-policy
================================

This communication and any attachments may contain confidential information of Rocket Software, Inc. All unauthorized use, disclosure or distribution is prohibited. If you are not the intended recipient, please notify Rocket Software immediately and destroy all copies of this communication. Thank you.

Long computations which yield zero are probably all for naught.

devel / comp.protocols.kerberos / RE: Question about Windows S4U support

Subject	Author
RE: Question about Windows S4U support	JianJun Li