[MS-SFU]: Kerberos Protocol Extensions Service for User and Constrained Delegation Protocol

Article
04/28/2023

This topic lists Errata found in [MS-SFU] since it was last published. Since this topic is updated frequently, we recommend that you subscribe to this RSS feed to receive update notifications.

Errata are subject to the same terms as the Open Specifications documentation referenced.

RSS

To view a PDF file of the errata for the previous versions of this document, see the following ERRATA Archives:

March 4, 2020 - Download

November 23, 2020 - Download

Errata below are for Protocol Document Version V21.0 – 2021/06/25.

Errata Published*	Description
2022/12/13	In section 2.2.2 PA_S4U_X509_USER: Added that the cname is case sensitive and it MUST not be canonicalized and that the crealm will not be canonicalized by the KDC. Changed from: cname: The PrincipalName type discussed in detail in [RFC4120] section 5.2.2. It consists of a name type and name string. The default value for the name type is NT-UNKNOWN as specified in [RFC4120] section 6.2. The name string is a sequence of strings encoded as KerberosString, as specified in [RFC4120] section 5.2.1, that (together with the crealm) represents a user principal. crealm: A KerberosString that represents the realm in which the user account is located. This value is not case-sensitive. Changed to: cname: The PrincipalName type discussed in detail in [RFC4120] section 5.2.2. It consists of a name type and name string. The default value for the name type is NT-UNKNOWN as specified in [RFC4120] section 6.2. The name string is a sequence of strings encoded as KerberosString, as specified in [RFC4120] section 5.2.1, that (together with the crealm) represents a user principal. The name string is case sensitive and must not be canonicalized by the KDC. crealm: A KerberosString that represents the realm in which the user account is located. This value is not case-sensitive; however, it will not be canonicalized by the KDC. In section 3.1.5.1.1.2 Sending the S4USelf KRB_TGT_REQ: Added that string canonicalization will not occur for either userName or userRealm fields. Changed from: … The userName is a structure consisting of a name type and a sequence of a name string … The userRealm is the realm of the user account. If the user realm name is unknown, Service 1 SHOULD use its own realm name. The auth-package field MUST be set to the string, "Kerberos". The auth-package field is not case-sensitive. Changed to: … The userName is a structure consisting of a name type and a sequence of a name string … The userRealm is the realm of the user account. If the user realm name is unknown, Service 1 SHOULD use its own realm name. The auth-package field MUST be set to the string, "Kerberos". The auth-package field is not case-sensitive. String canonicalization will not occur for either userName or userRealm fields. In section 3.2.5.1 KDC Receives S4U2self KRB_TGS_REQ: Added that the Name field in the PAC_CLIENT_INFO structure MUST have matching case for both the client name and the client realm fields. Changed from: • If the KDC supports the Privilege Attribute Certificate Data Structure [MS-PAC], a referral TGT is received and a PAC is provided, the Name field in the PAC_CLIENT_INFO structure MUST have the form of "client name@client realm". Changed to: • If the KDC supports the Privilege Attribute Certificate Data Structure [MS-PAC], a referral TGT is received and a PAC is provided, the Name field in the PAC_CLIENT_INFO structure MUST have the form of "client name@client realm" with matching case for both fields.
2021/09/21	In Section 3.2.5.2.3 Using ServicesAllowedToReceiveForwardedTicketsFrom, removed the UserAccountControl check and added a behavior note to document the addition of the NonForwardableDelegation flag with references to the Kerberos Security Feature Bypass Vulnerability. Changed from: If the service ticket in the additional-tickets field is not set to forwardable,<22> and the USER_NOT_DELEGATED bit is set in the UserAccountControl field in the KERB_VALIDATION_INFO structure ([MS-PAC] section 2.5), then the KDC MUST return KRB-ERR-BADOPTION with STATUS_ACCOUNT_RESTRICTION ([MS-ERREF] section 2.3.1). Changed to: If the service ticket in the additional-tickets field is not set to forwardable,<22> then the KDC MUST return KRB-ERR-BADOPTION with STATUS_ACCOUNT_RESTRICTION ([MS-ERREF] section 2.3.1).<23> <23> Section 3.2.5.2.3: The Kerberos Security Feature Bypass Vulnerability March 12,2021 [MSFT-CVE-2020-16996] update adds support for the NonForwardableDelegation registry value to (0) enable Enforcement of protection on Active Directory domain controller servers. Active Directory domain controllers will be in Enforcement mode unless the enforcement mode registry key is set to (1) disabled. This update applies to Windows Server 2012 and later. For additional information that includes Windows Server 2008 SP2 operating system and Windows Server 2008 R2 SP1 operating system see [MSFT-RBCD-ProtectedUserChanges].

Errata Published*

Description

2022/12/13

In section 2.2.2 PA_S4U_X509_USER: Added that the cname is case sensitive and it MUST not be canonicalized and that the crealm will not be canonicalized by the KDC.

Changed from:

cname: The PrincipalName type discussed in detail in [RFC4120] section 5.2.2. It consists of a name type and name string. The default value for the name type is NT-UNKNOWN as specified in [RFC4120] section 6.2. The name string is a sequence of strings encoded as KerberosString, as specified in [RFC4120] section 5.2.1, that (together with the crealm) represents a user principal.

crealm: A KerberosString that represents the realm in which the user account is located. This value is not case-sensitive.

Changed to:

crealm: A KerberosString that represents the realm in which the user account is located. This value is not case-sensitive; however, it will not be canonicalized by the KDC.

In section 3.1.5.1.1.2 Sending the S4USelf KRB_TGT_REQ: Added that string canonicalization will not occur for either userName or userRealm fields.

Changed from:

… The userName is a structure consisting of a name type and a sequence of a name string … The userRealm is the realm of the user account. If the user realm name is unknown, Service 1 SHOULD use its own realm name. The auth-package field MUST be set to the string, "Kerberos". The auth-package field is not case-sensitive.

Changed to:

In section 3.2.5.1 KDC Receives S4U2self KRB_TGS_REQ: Added that the Name field in the PAC_CLIENT_INFO structure MUST have matching case for both the client name and the client realm fields.

Changed from:

• If the KDC supports the Privilege Attribute Certificate Data Structure [MS-PAC], a referral TGT is received and a PAC is provided, the Name field in the PAC_CLIENT_INFO structure MUST have the form of "client name@client realm".

Changed to:

2021/09/21

In Section 3.2.5.2.3 Using ServicesAllowedToReceiveForwardedTicketsFrom, removed the UserAccountControl check and added a behavior note to document the addition of the NonForwardableDelegation flag with references to the Kerberos Security Feature Bypass Vulnerability.

Changed from:

If the service ticket in the additional-tickets field is not set to forwardable,<22> and the USER_NOT_DELEGATED bit is set in the UserAccountControl field in the KERB_VALIDATION_INFO structure ([MS-PAC] section 2.5), then the KDC MUST return KRB-ERR-BADOPTION with STATUS_ACCOUNT_RESTRICTION ([MS-ERREF] section 2.3.1).

Changed to:

If the service ticket in the additional-tickets field is not set to forwardable,<22> then the KDC MUST return KRB-ERR-BADOPTION with STATUS_ACCOUNT_RESTRICTION ([MS-ERREF] section 2.3.1).<23>

<23> Section 3.2.5.2.3: The Kerberos Security Feature Bypass Vulnerability March 12,2021 [MSFT-CVE-2020-16996] update adds support for the NonForwardableDelegation registry value to (0) enable Enforcement of protection on Active Directory domain controller servers. Active Directory domain controllers will be in Enforcement mode unless the enforcement mode registry key is set to (1) disabled. This update applies to Windows Server 2012 and later. For additional information that includes Windows Server 2008 SP2 operating system and Windows Server 2008 R2 SP1 operating system see [MSFT-RBCD-ProtectedUserChanges].

*Date format: YYYY/MM/DD

[MS-SFU]: Kerberos Protocol Extensions Service for User and Constrained Delegation Protocol

Additional resources