Hi Alexander, Apologies for the delayed response as I've been supporting the SDC IO Lab with the team this week. I've proposed this question to the engineering team and I'll let you know what I learn.
Regards, Kristian Smith Support Escalation Engineer | MicrosoftR Corporation Email: kristian.sm...@microsoft.com -----Original Message----- From: Alexander Bokovoy <a...@samba.org> Sent: Monday, September 15, 2025 12:14 AM To: Kristian Smith <kristian.sm...@microsoft.com> Cc: cifs-protocol@lists.samba.org; Microsoft Support <supportm...@microsoft.com> Subject: Re: [EXTERNAL] Network Ticket Logon clarification - TrackingID#2508140040006509 Hi Kristian, On Пят, 12 вер 2025, Kristian Smith wrote: > Hi Alexander, > > Apologies for the delay in response. Jeff retired last week and I'll > be taking over this case on his behalf. Happy retirement to Jeff! > > I see that you're referencing the 5 steps outlined in [MS-NRPC] > 3.2.4.2 Network Ticket Logon. You're wondering about the intermediary > steps between the following: > > 2. Netlogon delivers the request (see section > 3.2.4.2.1<https://nam06.safelinks.protection.outlook.com/?url=https%3A > %2F%2Flearn.microsoft.com%2Fen-us%2Fopenspecs%2Fwindows_protocols%2Fms > -nrpc%2F1ff6ce53-dc55-4a9e-af21-cb8ea5de5948&data=05%7C02%7Ckristian.s > mith%40microsoft.com%7C7e8a1dfecde340595cdc08ddf4278259%7C72f988bf86f1 > 41af91ab2d7cd011db47%7C1%7C0%7C638935172742366850%7CUnknown%7CTWFpbGZs > b3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIj > oiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=tFD6f9LrKw9yuBuurJb4CJ5T > qRmt1pbedKD1E6UIffQ%3D&reserved=0>) > 3. The Key Distribution Center > (KDC)<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F% > 2Flearn.microsoft.com%2Fen-us%2Fopenspecs%2Fwindows_protocols%2Fms-nrp > c%2Fb5e7d25a-40b2-41c8-9611-98f53358af66%23gt_6e5aafba-6b66-4fdd-872e- > 844f142af287&data=05%7C02%7Ckristian.smith%40microsoft.com%7C7e8a1dfec > de340595cdc08ddf4278259%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C6 > 38935172742382924%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYi > OiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7 > C%7C%7C&sdata=WRe31YWGuS61fgAoX%2FZ4Pj8CqYgoe7KKOjBum65Sczo%3D&reserve > d=0> processes the request and sends a reply (see > [MS-KILE]<https://nam06.safelinks.protection.outlook.com/?url=https%3A > %2F%2Flearn.microsoft.com%2Fen-us%2Fopenspecs%2Fwindows_protocols%2Fms > -kile%2F2a32282e-dd48-4ad9-a542-609804b02cc9&data=05%7C02%7Ckristian.s > mith%40microsoft.com%7C7e8a1dfecde340595cdc08ddf4278259%7C72f988bf86f1 > 41af91ab2d7cd011db47%7C1%7C0%7C638935172742394410%7CUnknown%7CTWFpbGZs > b3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIj > oiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=0jnOCUR%2FkECLpQ10ju%2BY > mx49GXxu43LisHnPTAGIOq8%3D&reserved=0> section > 3.3.5.8.1<https://nam06.safelinks.protection.outlook.com/?url=https%3A > %2F%2Flearn.microsoft.com%2Fen-us%2Fopenspecs%2Fwindows_protocols%2Fms > -kile%2F5445bcc9-1232-42d3-9f66-99f40463a92c&data=05%7C02%7Ckristian.s > mith%40microsoft.com%7C7e8a1dfecde340595cdc08ddf4278259%7C72f988bf86f1 > 41af91ab2d7cd011db47%7C1%7C0%7C638935172742405346%7CUnknown%7CTWFpbGZs > b3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIj > oiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=5IHVAj4LPgpnwAY%2BooAXwI > bnxHnWttATxC1vrw5tGno%3D&reserved=0>) > > [MS-NRPC] 3.2.4.2.1 discusses what I interpret as 2 stages, dispatch > to the appropriate DC, and the domain calling the KDC. > > Is your question specifically about the call to the KDC after the > Netlogon request has reached the appropriate DC? Correct. There is no description of how Netlogon is supposed to request the check from KDC and how KDC should respond. I'd like to see that documented because there is no existing Kerberos protocol message exchange for this operation and none of the custom changes are documented anywhere. > > Regards, > Kristian Smith > Support Escalation Engineer | Microsoft(r) Corporation > Email: > kristian.sm...@microsoft.com<mailto:kristian.sm...@microsoft.com> > > From: Jeff McCashland (He/him) <je...@microsoft.com> > Sent: Monday, August 18, 2025 3:37 PM > To: Alexander Bokovoy (Samba) <a...@samba.org> > Cc: cifs-protocol@lists.samba.org; Microsoft Support > <supportm...@microsoft.com> > Subject: Re: [EXTERNAL] Network Ticket Logon clarification - > TrackingID#2508140040006509 > > [Kristian to BCC] > > Hi Alexander, > > I will research the logon interaction and see what I can find. > > > Best regards, > Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft > Corporation > > Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: > (UTC-08:00) Pacific Time (US and Canada) > > Local country phone number found here: > https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsuppo > rt.microsoft.com%2Fglobalenglish&data=05%7C02%7Ckristian.smith%40micro > soft.com%7C7e8a1dfecde340595cdc08ddf4278259%7C72f988bf86f141af91ab2d7c > d011db47%7C1%7C0%7C638935172742415347%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0 > eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIl > dUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=4Gi%2BixHH7De49Hi%2F03sd4FUmUk7urjDG > 6UaTZtOGTZ0%3D&reserved=0 | Extension 1138300 > > > > ________________________________ > From: Kristian Smith > <kristian.sm...@microsoft.com<mailto:kristian.sm...@microsoft.com>> > Sent: Thursday, August 14, 2025 8:39 AM > To: Alexander Bokovoy (Samba) <a...@samba.org<mailto:a...@samba.org>> > Cc: > cifs-protocol@lists.samba.org<mailto:cifs-protocol@lists.samba.org> > <cifs-protocol@lists.samba.org<mailto:cifs-protocol@lists.samba.org>>; > Microsoft Support > <supportm...@microsoft.com<mailto:supportm...@microsoft.com>> > Subject: RE: [EXTERNAL] Network Ticket Logon clarification - > TrackingID#2508140040006509 > > [DocHelp to Bcc] > > Hi Alexander, > > Thanks for reaching out with your Kerberos/Netlogon question. I've created > case 2508140040006509 to track the issue. One of our engineers will > investigate this and contact you soon. > > Regards, > Kristian Smith > Support Escalation Engineer | Microsoft(r) Corporation > Email: > kristian.sm...@microsoft.com<mailto:kristian.sm...@microsoft.com> > > -----Original Message----- > From: Alexander Bokovoy <a...@samba.org<mailto:a...@samba.org>> > Sent: Thursday, August 14, 2025 5:41 AM > To: Interoperability Documentation Help > <doch...@microsoft.com<mailto:doch...@microsoft.com>> > Cc: > cifs-protocol@lists.samba.org<mailto:cifs-protocol@lists.samba.org> > Subject: [EXTERNAL] Network Ticket Logon clarification > > Hello Dochelp, > > I am reading through MS-KILE v45 update that was published this week > (v20250811) and trying to understand how would KDC receive the request which > processing is described in the section [MS-KILE] 3.3.5.8 Network Ticket Logon. > > As referenced in [MS-KILE] 3.3.5.8, [MS-NRPC] 3.2.4.2 describes the process > on the Netlogon side, namely: > > -------------------------------------- > Broadly, there are five major steps in the network ticket logon process: > > - The Kerberos client prepares and makes a request (see [MS-APDS] > sections 3.2.5.1 and 3.2.5.2) > > - Netlogon delivers the request (see section 3.2.4.2.1) > > - The Key Distribution Center (KDC) processes the request and sends > a reply (see [MS-KILE] section 3.3.5.8.1) > > - Netlogon processes the reply and sends it to the client (see > section 3.2.4.2.2) > > - The Kerberos client receives the reply (see [MS-APDS] section > 3.2.5.4) > ------------------------------------- > > My question is related to the steps 'Netlogon delivers the request' > and 'KDC processes the requests and sends a reply'. Unfortunately, > neither [MS-NRPC] > 3.2.4.2.1 nor [MS-KILE] 3.3.5.8.1 clarify how exactly Netlogon and KDC > communicate the request between each other. > > Could you please clarify it? > > Is it a specially formatted TGS-REQ? Or is it some special form of a > back-channel between these components? > > -- > / Alexander Bokovoy -- / Alexander Bokovoy _______________________________________________ cifs-protocol mailing list cifs-protocol@lists.samba.org https://lists.samba.org/mailman/listinfo/cifs-protocol
