[MS-CSSP]: Credential Security Support Provider (CredSSP) Protocol

  • Article

This topic lists Errata found in [MS-CSSP] since it was last published. Since this topic is updated frequently, we recommend that you subscribe to this RSS feed to receive update notifications.

Errata are subject to the same terms as the Open Specifications documentation referenced.

RSS 

To view a PDF file of the errata for the previous versions of this document, see the following ERRATA Archives:

July 18, 2016 - Download

June 1, 2017 - Download

March 16, 2018 - Download

September 12, 2018 - Download

September 29, 2020 – Download

Errata below are for Protocol Document Version V20.0 – 2021/06/25.

Errata Published*

Description

2021/09/07

In Section 2.2.1.2.3.1 TSRemoteGuardPackageCred, changed credBuffer: Windows CredSSP usage of Kerberos User to User tickets.

Changed from:

credBuffer: An ASN.1 OCTET STRING byte buffer that contains the credentials in a format that SHOULD<22> be specified by the CredSSP server operating system for the package that provided them.

<22> Section 2.2.1.2.3.1: . . .Windows CredSSP clients will use Kerberos User to User tickets ([RFC4120], section 2.9.2) as the ServiceTicket, but the server does not enforce this. . .

Changed to:

credBuffer: An ASN.1 OCTET STRING byte buffer that contains the credentials in a format that SHOULD<22> be specified by the CredSSP server operating system for the package that provided them.

<22> Section 2.2.1.2.3.1: . . .Windows CredSSP clients do not use Kerberos User to User tickets ([RFC4120], section 2.9.2) as the ServiceTicket, but can if necessary; the server does not enforce this. . .

2021/08/10

In Section 2.2.1.2.3.1 TSRemoteGuardPackageCred, adjusted supplemental credential code arrangement and added C bit flag for the Credential Key being present.

Changed from:

typedef struct _NTLM_REMOTE_SUPPLEMENTAL_CREDENTIAL {

ULONG Version;

ULONG Flags;

MSV1_0_CREDENTIAL_KEY_TYPE reserved;

MSV1_0_CREDENTIAL_KEY reserved;

ULONG reservedsize;

[size_is(reservedSize)] UCHAR* reserved;

} NTLM_REMOTE_SUPPLEMENTAL_CREDENTIAL;

Version: A 32-bit unsigned integer that defines the credential version. This field is 0xFFFF0002.

Flags: A 32-bit unsigned integer containing flags that define the credential options. At least one of the following values is required.


0


1


2


3


4


5


6


7


8


9

1
0


1


2


3


4


5


6


7


8


9

2
0


1


2


3


4


5


6


7


8


9

3
0


1

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

N

L

Where the bits are defined as follows:

Value

Description

L

Indicates that the LM OWF member is present and valid.

N

Indicates that the NT OWF member is present and valid.

Changed to:

typedef struct _NTLM_REMOTE_SUPPLEMENTAL_CREDENTIAL {

ULONG Version;

ULONG Flags;

MSV1_0_CREDENTIAL_KEY reserved;

MSV1_0_CREDENTIAL_KEY_TYPE reserved;

ULONG reservedsize;

[size_is(reservedSize)] UCHAR* reserved;

} NTLM_REMOTE_SUPPLEMENTAL_CREDENTIAL;

Version: A 32-bit unsigned integer that defines the credential version. This field is 0xFFFF0002.

Flags: A 32-bit unsigned integer containing flags that define the credential options. At least one of the following values is required.


0


1


2


3


4


5


6


7


8


9

1
0


1


2


3


4


5


6


7


8


9

2
0


1


2


3


4


5


6


7


8


9

3
0


1

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

C

0

N

L

Where the bits are defined as follows:

Value

Description

L

Indicates that the LM OWF member is present and valid.

N

Indicates that the NT OWF member is present and valid.

C

Indicates that the reserved credential key is present and valid (

[MS-RDPEAR] section 2.2.1.3.5).

*Date format: YYYY/MM/DD