none
[MS-SFU] Question on PAC for transit, plus a few comments. RRS feed

  • Question

  • Applies to [MS-SFU] v20101230:

    1.3.2 "S4U2proxy" contains "Kerberos Ddelegation" which probably should be "Kerberos delegation".

    1.3.3 is a bit confusing because the initial description is really a description of the problem that S4U options are solving, rather than describing how S4U works. That is a bit subtle, and easy to miss on the first read.

    Figure 2 might be a bit clearer if it had labels for the upper section (S4U2self) and lower section (S4U2proxy)

    In section 3.2.5.2 "KDC Receives S4U2proxy KRB_TGS_REQ", there is a paragraph at the bottom that starts "Otherwise, if a PAC was provided...". Should that read "Otherwise if a PAC containing S4U_DELEGATION_INFO was provided..."?

    In section 4.2, TBS_B should probably be TGS_B?

    Figure 5 might be improved if the labels were "TGS_A" and "TGS_B" instead of "TGS A" and "TGS B" to match the text.

    Brad

     

    Thursday, January 20, 2011 3:13 AM

Answers

  • Brad,

     

    Upon review, it appears that your observations are correct. The product team will be making all necessary changes in a future release of the MS-SFU document.

    Thanks again for helping us improve the MS-SFU specification.

     

    Regards,

    Edgar

    Friday, February 4, 2011 11:05 PM
    Moderator
  • Hello Brad,

    Yes, your interpretation is correct. The line you referred to should be read something like:

    Otherwise, if the PAC of the service ticket in the additional-tickets contains an S4U_DELEGATION_INFO structure, the KDC MUST copy the existing S4U_DELEGATION_INFO ...

    Thanks again for following up on this, we really appreicate your feedback.

    Regards,

    Edgar

     

    Tuesday, February 8, 2011 4:16 AM
    Moderator

All replies

  • Hi Brad,

    A colleague will follow up with you soon to investigate this issue.

    Regards,

    Mark Miller

    Escalation Engineer

    US-CSS DSC PROTOCOL TEAM

    Thursday, January 20, 2011 12:35 PM
  • Hi Brad,

    I am taking care of this and will follow-up with you.

    Regards,

    Edgar


    Edgar
    Thursday, January 20, 2011 3:48 PM
    Moderator
  • Brad,

     

    Upon review, it appears that your observations are correct. The product team will be making all necessary changes in a future release of the MS-SFU document.

    Thanks again for helping us improve the MS-SFU specification.

     

    Regards,

    Edgar

    Friday, February 4, 2011 11:05 PM
    Moderator
  • Edgar,


    Thanks for following up on this.

    Can you confirm the question relating to section 3.2.5.2 "KDC Receives S4U2proxy KRB_TGS_REQ" (i.e. "Otherwise if a PAC containing S4U_DELEGATION_INFO was provided..." is the correct interpretation)?

    Brad

     

    Saturday, February 5, 2011 1:36 AM
  • Hello Brad,

    Yes, your interpretation is correct. The line you referred to should be read something like:

    Otherwise, if the PAC of the service ticket in the additional-tickets contains an S4U_DELEGATION_INFO structure, the KDC MUST copy the existing S4U_DELEGATION_INFO ...

    Thanks again for following up on this, we really appreicate your feedback.

    Regards,

    Edgar

     

    Tuesday, February 8, 2011 4:16 AM
    Moderator
  • Edgar,

    Thanks for this.

    Brad

     

    Tuesday, February 8, 2011 7:36 AM