none
[MS-CSRA] missing ACCESS_DENIED_CALLBACK_ACE_TYPE RRS feed

  • Question

  • [MS-CSRA] §2.2.1.11 Officer and Enrollment Agent Access Rights contains the following statement:

    Each access control entry (ACE) in the discretionary access control list (DACL) MUST have:
    1. AceType 0x9 (ACCESS_ALLOWED_CALLBACK_ACE_TYPE for the ACCESS_ALLOWED_CALLBACK_ACE, [MS-DTYP] section 2.4.4.6)
    2. AccessMask 0x00010000

    I believe, this statement is not complete. ACE may have '0xa - ACCESS_DENIED_CALLBACK_ACE_TYPE' ([MS-DTYP] section 2.4.4.7). Either of these must appear. In ADCS, Role separation and Registration Authority (where these permissions are used) explicitly support Deny permissions via ACCESS_DENIED_CALLBACK_ACE_TYPE.


    Vadims Podāns, aka Crypt32
    My weblog: www.sysadmins.lv
    PowerShell PKI Module: PSPKI
    Check out new: SSL Certificate Verifier
    Check out new: ASN.1 Editor tool.

    Monday, June 1, 2020 7:22 PM

Answers

  • Hi Vadims,

    After carefully reviewing the available information and source code, we have concluded that you are correct. We will update the documentation accordingly. 

    Thanks,


    Jeff McCashland | Microsoft Protocols Open Specifications Team

    Wednesday, June 24, 2020 4:34 PM
    Moderator

All replies

  • Hi Vadims,

    Thank you for reporting this issue. I will look into it. 

    Thanks,


    Jeff McCashland | Microsoft Protocols Open Specifications Team

    Monday, June 1, 2020 8:04 PM
    Moderator
  • Hi Vadims,

    I have been able to confirm that ACCESS_DENIED_CALLBACK_ACE_TYPE is also valid for Officer Enrollment access rights. I will file a request to update the documentation and follow up.

    Thanks,


    Jeff McCashland | Microsoft Protocols Open Specifications Team

    Friday, June 5, 2020 9:53 PM
    Moderator
  • Thanks for confirming my assumption.

    Vadims Podāns, aka Crypt32
    My weblog: www.sysadmins.lv
    PowerShell PKI Module: PSPKI
    Check out new: SSL Certificate Verifier
    Check out new: ASN.1 Editor tool.

    Saturday, June 6, 2020 1:15 PM
  • Hi Vadims,

    It appears I was incorrect. Further review indicates that ACCESS_DENIED_CALLBACK_ACE_TYPE cannot be returned for this function. 

    If you are able to construct a scenario and show that ACCESS_DENIED_CALLBACK_ACE_TYPE is returned, please contact us at our email alias DocHelp @microsoft .com and provide a network trace showing the same. 

    Best Regards,


    Jeff McCashland | Microsoft Protocols Open Specifications Team

    Monday, June 15, 2020 4:23 PM
    Moderator
  • I'm still thinking that my initial statement is correct. Here is the OfficerRights SDDL dump:

    PS C:\> certutil -v -getreg ca\officerrights
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\contoso-DC2-CA\OfficerRights:
    
      OfficerRights REG_BINARY =
        Deny Write  CONTOSO\Domain Admins
        Deny Write  CONTOSO\Domain Admins
        Deny Write  CONTOSO\Enterprise Admins
        Deny Write  BUILTIN\Administrators
    
    
    0000    01 00 04 80 f0 00 00 00  00 00 00 00 00 00 00 00   ................
    0010    14 00 00 00 02 00 dc 00  04 00 00 00 0a 00 44 00   ..............D.
    0020    00 00 01 00 01 05 00 00  00 00 00 05 15 00 00 00   ................
    0030    f6 e6 15 dd ed 3f 20 1a  18 9f 41 ff 00 02 00 00   .....? ...A.....
    0040    01 00 00 00 01 05 00 00  00 00 00 05 15 00 00 00   ................
    0050    f6 e6 15 dd ed 3f 20 1a  18 9f 41 ff 56 04 00 00   .....? ...A.V...
    0060    09 00 34 00 00 00 01 00  01 05 00 00 00 00 00 05   ..4.............
    0070    15 00 00 00 f6 e6 15 dd  ed 3f 20 1a 18 9f 41 ff   .........? ...A.
    0080    00 02 00 00 01 00 00 00  01 01 00 00 00 00 00 01   ................
    0090    00 00 00 00 09 00 34 00  00 00 01 00 01 05 00 00   ......4.........
    00a0    00 00 00 05 15 00 00 00  f6 e6 15 dd ed 3f 20 1a   .............? .
    00b0    18 9f 41 ff 07 02 00 00  01 00 00 00 01 01 00 00   ..A.............
    00c0    00 00 00 01 00 00 00 00  09 00 28 00 00 00 01 00   ..........(.....
    00d0    01 02 00 00 00 00 00 05  20 00 00 00 20 02 00 00   ........ ... ...
    00e0    01 00 00 00 01 01 00 00  00 00 00 01 00 00 00 00   ................
    00f0    01 02 00 00 00 00 00 05  20 00 00 00 20 02 00 00   ........ ... ...
    CertUtil: -getreg command completed successfully.
    PS C:\>

    if you decode this structure, you will find that "Domain Admins" group has ACCESS_DENIED_CALLBACK_ACE_TYPE ACE against a SID=S-1-5-21-3709200118-438321133-4282490648-1110. Here is a screenshot from CertSrv.msc:


    Vadims Podāns, aka Crypt32
    My weblog: www.sysadmins.lv
    PowerShell PKI Module: PSPKI
    Check out new: SSL Certificate Verifier
    Check out new: ASN.1 Editor tool.

    Monday, June 15, 2020 5:31 PM
  • Hi Vadims,

    I did not see any CertSrv screenshot in the post. At any rate, screenshots are not helpful as we cannot analyze them deeply. If possible, can you dump the data from the query and CertSrv.msc, and provide the raw data to us via our email alias DocHelp @microsoft .com? 

    Thanks,


    Jeff McCashland | Microsoft Protocols Open Specifications Team

    Monday, June 15, 2020 7:30 PM
    Moderator
  • I already posted a hex dump of DACL structure in my previous post. Is it enough for you? Repeating it again:

    000    01 00 04 80 f0 00 00 00  00 00 00 00 00 00 00 00   ................
    0010    14 00 00 00 02 00 dc 00  04 00 00 00 0a 00 44 00   ..............D.
    0020    00 00 01 00 01 05 00 00  00 00 00 05 15 00 00 00   ................
    0030    f6 e6 15 dd ed 3f 20 1a  18 9f 41 ff 00 02 00 00   .....? ...A.....
    0040    01 00 00 00 01 05 00 00  00 00 00 05 15 00 00 00   ................
    0050    f6 e6 15 dd ed 3f 20 1a  18 9f 41 ff 56 04 00 00   .....? ...A.V...
    0060    09 00 34 00 00 00 01 00  01 05 00 00 00 00 00 05   ..4.............
    0070    15 00 00 00 f6 e6 15 dd  ed 3f 20 1a 18 9f 41 ff   .........? ...A.
    0080    00 02 00 00 01 00 00 00  01 01 00 00 00 00 00 01   ................
    0090    00 00 00 00 09 00 34 00  00 00 01 00 01 05 00 00   ......4.........
    00a0    00 00 00 05 15 00 00 00  f6 e6 15 dd ed 3f 20 1a   .............? .
    00b0    18 9f 41 ff 07 02 00 00  01 00 00 00 01 01 00 00   ..A.............
    00c0    00 00 00 01 00 00 00 00  09 00 28 00 00 00 01 00   ..........(.....
    00d0    01 02 00 00 00 00 00 05  20 00 00 00 20 02 00 00   ........ ... ...
    00e0    01 00 00 00 01 01 00 00  00 00 00 01 00 00 00 00   ................
    00f0    01 02 00 00 00 00 00 05  20 00 00 00 20 02 00 00   ........ ... ...


    Vadims Podāns, aka Crypt32
    My weblog: www.sysadmins.lv
    PowerShell PKI Module: PSPKI
    Check out new: SSL Certificate Verifier
    Check out new: ASN.1 Editor tool.


    Monday, June 15, 2020 8:04 PM
  • Hi Vadims,

    After carefully reviewing the available information and source code, we have concluded that you are correct. We will update the documentation accordingly. 

    Thanks,


    Jeff McCashland | Microsoft Protocols Open Specifications Team

    Wednesday, June 24, 2020 4:34 PM
    Moderator
  • Hi Vadims,

    We have updated the documentation for the next release:

    [MS-CSRA] 2.2.1.11 Officer and Enrollment Agent Access Rights

    1. Each access control entry (ACE) in the discretionary access control list (DACL) MUST have:

    • Either the AceType 0x9 (ACCESS_ALLOWED_CALLBACK_ACE_TYPE for the ACCESS_ALLOWED_CALLBACK_ACE, [MS-DTYP] section 2.4.4.6) or the AceType 0x0A (ACCESS_DENIED_CALLBACK_ACE_TYPE for the ACCESS_DENIED_CALLBACK_ACE, [MS-DTYP] section 2.4.4.7).
    • AccessMask 0x00010000.

    I hope that helps!


    Jeff McCashland | Microsoft Protocols Open Specifications Team


    Monday, July 6, 2020 9:47 PM
    Moderator
  • Yes, this edition is correct.

    Thanks for update! 


    Vadims Podāns, aka Crypt32
    My weblog: www.sysadmins.lv
    PowerShell PKI Module: PSPKI
    Check out new: SSL Certificate Verifier
    Check out new: ASN.1 Editor tool.

    Tuesday, July 7, 2020 5:53 AM