Re: [cifs-protocol] [REG:116052814221908] Validated-Writes of servicePrincipalNames
Hi Sreekanth, sorry for the long delay. The difference I see is that you're doing this as administrator. I'm talking about validated-writes done by an account on it's own computer object. And that's what [MS-ADTS] 3.1.1.5.3.1.1.4 servicePrincipalName about, also see the parent section 3.1.1.5.3.1.1 Validated Writes Can you please continue your reserach on this? Thanks! metze > Hello Stefan, simple tests at my end using a test domain controller shows > that all of the following values are allowed by MS Windows domain controller. > Before I propose any doc changes, can you confirm which domain controller you > have used when you say "Testing against a Windows DC shows that **only** > numeric characters are allowed after ':'" Did you mean to say the domain > controller itself failed to add such SPN ? Or are you saying that it is the > SQL Server that didn't find an SPN that has a nonnumeric character after ":" > ? > > > > C:\Users\Administrator>setspn -A MSSQLSvc/myhost.379135DOM.LAB:1433 lvisser > > C:\Users\Administrator>setspn -A MSSQLSvc/myhost.379135DOM.LAB:MYINST1 > lvisser > > C:\Users\Administrator>setspn -A MSSQLSvc/myhost.379135DOM.LAB/MYINST2 > lvisser > > C:\Users\Administrator>setspn -l lvisser > > Registered ServicePrincipalNames for CN=lora > visser,CN=Users,DC=379135DOM,DC=LAB: > > MSSQLSvc/myhost.379135DOM.LAB/MYINST2 > MSSQLSvc/myhost.379135DOM.LAB:MYINST1 > MSSQLSvc/myhost.379135DOM.LAB:1433 > > > You can even have MSSQLSvc/myhost.379135DOM.LAB:8989797/MYINST2 > > > But ultimately, If the SPN does not match the string as constructed by the > Service i.e. SQL Server in this case, authentication will fail. signature.asc Description: OpenPGP digital signature ___ cifs-protocol mailing list cifs-protocol@lists.samba.org https://lists.samba.org/mailman/listinfo/cifs-protocol
Re: [cifs-protocol] [REG:116052814221908] Validated-Writes of servicePrincipalNames
Hello Stefan, you might be working on other issues and didn't get a chance to review my e-mail below. I'm going to archive this temporarily and revisit this issue as soon as you are ready to provide me the details of your test environment where Windows domain controller doesn't allow an SPN with non-numeric characters after colon. Regards, Sreekanth Nadendla Microsoft Windows Open Specifications -Original Message- From: Sreekanth Nadendla Sent: Wednesday, June 8, 2016 3:52 PM To: 'Stefan Metzmacher'; 'cifs-protocol@lists.samba.org' Cc: MSSolve Case Email Subject: RE: [REG:116052814221908] Validated-Writes of servicePrincipalNames Hello Stefan, simple tests at my end using a test domain controller shows that all of the following values are allowed by MS Windows domain controller. Before I propose any doc changes, can you confirm which domain controller you have used when you say "Testing against a Windows DC shows that **only** numeric characters are allowed after ':'" Did you mean to say the domain controller itself failed to add such SPN ? Or are you saying that it is the SQL Server that didn't find an SPN that has a nonnumeric character after ":" ? C:\Users\Administrator>setspn -A MSSQLSvc/myhost.379135DOM.LAB:1433 lvisser C:\Users\Administrator>setspn -A MSSQLSvc/myhost.379135DOM.LAB:MYINST1 lvisser C:\Users\Administrator>setspn -A MSSQLSvc/myhost.379135DOM.LAB/MYINST2 lvisser C:\Users\Administrator>setspn -l lvisser Registered ServicePrincipalNames for CN=lora visser,CN=Users,DC=379135DOM,DC=LAB: MSSQLSvc/myhost.379135DOM.LAB/MYINST2 MSSQLSvc/myhost.379135DOM.LAB:MYINST1 MSSQLSvc/myhost.379135DOM.LAB:1433 You can even have MSSQLSvc/myhost.379135DOM.LAB:8989797/MYINST2 But ultimately, If the SPN does not match the string as constructed by the Service i.e. SQL Server in this case, authentication will fail. Regards, Sreekanth Nadendla Microsoft Windows Open Specifications -Original Message- From: Sreekanth Nadendla Sent: Saturday, May 28, 2016 9:22 PM To: Stefan Metzmacher; cifs-protocol@lists.samba.org Cc: MSSolve Case Email Subject: RE: [REG:116052814221908] Validated-Writes of servicePrincipalNames Hi Metze, I will be assisting you with your issue. Regards, Sreekanth -Original Message- From: Bryan Burgin Sent: Saturday, May 28, 2016 9:56 AM To: Stefan Metzmacher ; cifs-protocol@lists.samba.org Cc: MSSolve Case Email Subject: [REG:116052814221908] Validated-Writes of servicePrincipalNames [Dochelp to bcc] [+Casemail] Hi Metze Thank you for your question. We created SR 116052814221908 to track this issue. An engineer will contact you soon. Bryan -Original Message- From: Stefan Metzmacher [mailto:me...@samba.org] Sent: Friday, May 27, 2016 9:57 AM To: Interoperability Documentation Help ; cifs-protocol@lists.samba.org Subject: Validated-Writes of servicePrincipalNames Hi DocHelp, we have seen client registering servicePrincipalNames like MSSQLSvc/YOURHOST.TESTDOMAIN.COM:SOPHOS. We're rejecting them. As we didn't know about the :port part. As MS-ADTS 3.1.1.5.3.1.1.4 servicePrincipalName doesn't specify this optional part. Testing against a Windows DC shows that only numeric characters are allowed after ':'. It seems it doesn't need to be a valid tcp/udp port number. It works with '9'. As I also found a number of google hits were people use things like: MSSQLSvc/YOURHOST.TESTDOMAIN.COM:MSSQLSERVER2008 or others with non numeric :port parts. Can update the MS-ADTS 3.1.1.5.3.1.1.4 servicePrincipalName section to be more detailed with what is and what is not allowed, maybe together with some examples. https://msdn.microsoft.com/en-us/library/ms191153.aspx contains some information, but the following is a bit unclear to me: MSSQLSvc/FQDN:[port|instancename] That should allow "MSSQLSvc/FQDN:SOMENAME" or it has to be MSSQLSvc/FQDN[:port][/instancename] or MSSQLSvc/FQDN[:port|/instancename] It would be nice to get some hints what we have to implement. Thanks! metze ___ cifs-protocol mailing list cifs-protocol@lists.samba.org https://lists.samba.org/mailman/listinfo/cifs-protocol
Re: [cifs-protocol] [REG:116052814221908] Validated-Writes of servicePrincipalNames
Hello Stefan, simple tests at my end using a test domain controller shows that all of the following values are allowed by MS Windows domain controller. Before I propose any doc changes, can you confirm which domain controller you have used when you say "Testing against a Windows DC shows that **only** numeric characters are allowed after ':'" Did you mean to say the domain controller itself failed to add such SPN ? Or are you saying that it is the SQL Server that didn't find an SPN that has a nonnumeric character after ":" ? C:\Users\Administrator>setspn -A MSSQLSvc/myhost.379135DOM.LAB:1433 lvisser C:\Users\Administrator>setspn -A MSSQLSvc/myhost.379135DOM.LAB:MYINST1 lvisser C:\Users\Administrator>setspn -A MSSQLSvc/myhost.379135DOM.LAB/MYINST2 lvisser C:\Users\Administrator>setspn -l lvisser Registered ServicePrincipalNames for CN=lora visser,CN=Users,DC=379135DOM,DC=LAB: MSSQLSvc/myhost.379135DOM.LAB/MYINST2 MSSQLSvc/myhost.379135DOM.LAB:MYINST1 MSSQLSvc/myhost.379135DOM.LAB:1433 You can even have MSSQLSvc/myhost.379135DOM.LAB:8989797/MYINST2 But ultimately, If the SPN does not match the string as constructed by the Service i.e. SQL Server in this case, authentication will fail. Regards, Sreekanth Nadendla Microsoft Windows Open Specifications -Original Message- From: Sreekanth Nadendla Sent: Saturday, May 28, 2016 9:22 PM To: Stefan Metzmacher; cifs-protocol@lists.samba.org Cc: MSSolve Case Email Subject: RE: [REG:116052814221908] Validated-Writes of servicePrincipalNames Hi Metze, I will be assisting you with your issue. Regards, Sreekanth -Original Message- From: Bryan Burgin Sent: Saturday, May 28, 2016 9:56 AM To: Stefan Metzmacher ; cifs-protocol@lists.samba.org Cc: MSSolve Case Email Subject: [REG:116052814221908] Validated-Writes of servicePrincipalNames [Dochelp to bcc] [+Casemail] Hi Metze Thank you for your question. We created SR 116052814221908 to track this issue. An engineer will contact you soon. Bryan -Original Message- From: Stefan Metzmacher [mailto:me...@samba.org] Sent: Friday, May 27, 2016 9:57 AM To: Interoperability Documentation Help ; cifs-protocol@lists.samba.org Subject: Validated-Writes of servicePrincipalNames Hi DocHelp, we have seen client registering servicePrincipalNames like MSSQLSvc/YOURHOST.TESTDOMAIN.COM:SOPHOS. We're rejecting them. As we didn't know about the :port part. As MS-ADTS 3.1.1.5.3.1.1.4 servicePrincipalName doesn't specify this optional part. Testing against a Windows DC shows that only numeric characters are allowed after ':'. It seems it doesn't need to be a valid tcp/udp port number. It works with '9'. As I also found a number of google hits were people use things like: MSSQLSvc/YOURHOST.TESTDOMAIN.COM:MSSQLSERVER2008 or others with non numeric :port parts. Can update the MS-ADTS 3.1.1.5.3.1.1.4 servicePrincipalName section to be more detailed with what is and what is not allowed, maybe together with some examples. https://msdn.microsoft.com/en-us/library/ms191153.aspx contains some information, but the following is a bit unclear to me: MSSQLSvc/FQDN:[port|instancename] That should allow "MSSQLSvc/FQDN:SOMENAME" or it has to be MSSQLSvc/FQDN[:port][/instancename] or MSSQLSvc/FQDN[:port|/instancename] It would be nice to get some hints what we have to implement. Thanks! metze ___ cifs-protocol mailing list cifs-protocol@lists.samba.org https://lists.samba.org/mailman/listinfo/cifs-protocol
Re: [cifs-protocol] [REG:116052814221908] Validated-Writes of servicePrincipalNames
Hi Metze, I will be assisting you with your issue. Regards, Sreekanth -Original Message- From: Bryan Burgin Sent: Saturday, May 28, 2016 9:56 AM To: Stefan Metzmacher ; cifs-protocol@lists.samba.org Cc: MSSolve Case Email Subject: [REG:116052814221908] Validated-Writes of servicePrincipalNames [Dochelp to bcc] [+Casemail] Hi Metze Thank you for your question. We created SR 116052814221908 to track this issue. An engineer will contact you soon. Bryan -Original Message- From: Stefan Metzmacher [mailto:me...@samba.org] Sent: Friday, May 27, 2016 9:57 AM To: Interoperability Documentation Help ; cifs-protocol@lists.samba.org Subject: Validated-Writes of servicePrincipalNames Hi DocHelp, we have seen client registering servicePrincipalNames like MSSQLSvc/YOURHOST.TESTDOMAIN.COM:SOPHOS. We're rejecting them. As we didn't know about the :port part. As MS-ADTS 3.1.1.5.3.1.1.4 servicePrincipalName doesn't specify this optional part. Testing against a Windows DC shows that only numeric characters are allowed after ':'. It seems it doesn't need to be a valid tcp/udp port number. It works with '9'. As I also found a number of google hits were people use things like: MSSQLSvc/YOURHOST.TESTDOMAIN.COM:MSSQLSERVER2008 or others with non numeric :port parts. Can update the MS-ADTS 3.1.1.5.3.1.1.4 servicePrincipalName section to be more detailed with what is and what is not allowed, maybe together with some examples. https://msdn.microsoft.com/en-us/library/ms191153.aspx contains some information, but the following is a bit unclear to me: MSSQLSvc/FQDN:[port|instancename] That should allow "MSSQLSvc/FQDN:SOMENAME" or it has to be MSSQLSvc/FQDN[:port][/instancename] or MSSQLSvc/FQDN[:port|/instancename] It would be nice to get some hints what we have to implement. Thanks! metze ___ cifs-protocol mailing list cifs-protocol@lists.samba.org https://lists.samba.org/mailman/listinfo/cifs-protocol
