Hi Alexander, I have word back from the engineering team on your question.
Since the netlogon and KDC binaries are hosted on the same machine for Windows Domain Controllers, the process described is done by the two binaries communicating with each other directly within LSASS. It is not via a network call to the KDC like TGS or ticket renewals. Apologies for the delayed response, but I hope this helps. Let me know if you have any follow up questions or concerns. Regards, Kristian Smith Support Escalation Engineer | MicrosoftR Corporation Email: [email protected] -----Original Message----- From: Alexander Bokovoy <[email protected]> Sent: Monday, September 15, 2025 12:14 AM To: Kristian Smith <[email protected]> Cc: [email protected]; Microsoft Support <[email protected]> Subject: Re: [EXTERNAL] Network Ticket Logon clarification - TrackingID#2508140040006509 Hi Kristian, On Пят, 12 вер 2025, Kristian Smith wrote: > Hi Alexander, > > Apologies for the delay in response. Jeff retired last week and I'll > be taking over this case on his behalf. Happy retirement to Jeff! > > I see that you're referencing the 5 steps outlined in [MS-NRPC] > 3.2.4.2 Network Ticket Logon. You're wondering about the intermediary > steps between the following: > > 2. Netlogon delivers the request (see section > 3.2.4.2.1<https://nam06.safelinks.protection.outlook.com/?url=https%3A > %2F%2Flearn.microsoft.com%2Fen-us%2Fopenspecs%2Fwindows_protocols%2Fms > -nrpc%2F1ff6ce53-dc55-4a9e-af21-cb8ea5de5948&data=05%7C02%7Ckristian.s > mith%40microsoft.com%7C7e8a1dfecde340595cdc08ddf4278259%7C72f988bf86f1 > 41af91ab2d7cd011db47%7C1%7C0%7C638935172742366850%7CUnknown%7CTWFpbGZs > b3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIj > oiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=tFD6f9LrKw9yuBuurJb4CJ5T > qRmt1pbedKD1E6UIffQ%3D&reserved=0>) > 3. The Key Distribution Center > (KDC)<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F% > 2Flearn.microsoft.com%2Fen-us%2Fopenspecs%2Fwindows_protocols%2Fms-nrp > c%2Fb5e7d25a-40b2-41c8-9611-98f53358af66%23gt_6e5aafba-6b66-4fdd-872e- > 844f142af287&data=05%7C02%7Ckristian.smith%40microsoft.com%7C7e8a1dfec > de340595cdc08ddf4278259%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C6 > 38935172742382924%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYi > OiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7 > C%7C%7C&sdata=WRe31YWGuS61fgAoX%2FZ4Pj8CqYgoe7KKOjBum65Sczo%3D&reserve > d=0> processes the request and sends a reply (see > [MS-KILE]<https://nam06.safelinks.protection.outlook.com/?url=https%3A > %2F%2Flearn.microsoft.com%2Fen-us%2Fopenspecs%2Fwindows_protocols%2Fms > -kile%2F2a32282e-dd48-4ad9-a542-609804b02cc9&data=05%7C02%7Ckristian.s > mith%40microsoft.com%7C7e8a1dfecde340595cdc08ddf4278259%7C72f988bf86f1 > 41af91ab2d7cd011db47%7C1%7C0%7C638935172742394410%7CUnknown%7CTWFpbGZs > b3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIj > oiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=0jnOCUR%2FkECLpQ10ju%2BY > mx49GXxu43LisHnPTAGIOq8%3D&reserved=0> section > 3.3.5.8.1<https://nam06.safelinks.protection.outlook.com/?url=https%3A > %2F%2Flearn.microsoft.com%2Fen-us%2Fopenspecs%2Fwindows_protocols%2Fms > -kile%2F5445bcc9-1232-42d3-9f66-99f40463a92c&data=05%7C02%7Ckristian.s > mith%40microsoft.com%7C7e8a1dfecde340595cdc08ddf4278259%7C72f988bf86f1 > 41af91ab2d7cd011db47%7C1%7C0%7C638935172742405346%7CUnknown%7CTWFpbGZs > b3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIj > oiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=5IHVAj4LPgpnwAY%2BooAXwI > bnxHnWttATxC1vrw5tGno%3D&reserved=0>) > > [MS-NRPC] 3.2.4.2.1 discusses what I interpret as 2 stages, dispatch > to the appropriate DC, and the domain calling the KDC. > > Is your question specifically about the call to the KDC after the > Netlogon request has reached the appropriate DC? Correct. There is no description of how Netlogon is supposed to request the check from KDC and how KDC should respond. I'd like to see that documented because there is no existing Kerberos protocol message exchange for this operation and none of the custom changes are documented anywhere. > > Regards, > Kristian Smith > Support Escalation Engineer | Microsoft(r) Corporation > Email: > [email protected]<mailto:[email protected]> > > From: Jeff McCashland (He/him) <[email protected]> > Sent: Monday, August 18, 2025 3:37 PM > To: Alexander Bokovoy (Samba) <[email protected]> > Cc: [email protected]; Microsoft Support > <[email protected]> > Subject: Re: [EXTERNAL] Network Ticket Logon clarification - > TrackingID#2508140040006509 > > [Kristian to BCC] > > Hi Alexander, > > I will research the logon interaction and see what I can find. > > > Best regards, > Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft > Corporation > > Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: > (UTC-08:00) Pacific Time (US and Canada) > > Local country phone number found here: > https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsuppo > rt.microsoft.com%2Fglobalenglish&data=05%7C02%7Ckristian.smith%40micro > soft.com%7C7e8a1dfecde340595cdc08ddf4278259%7C72f988bf86f141af91ab2d7c > d011db47%7C1%7C0%7C638935172742415347%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0 > eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIl > dUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=4Gi%2BixHH7De49Hi%2F03sd4FUmUk7urjDG > 6UaTZtOGTZ0%3D&reserved=0 | Extension 1138300 > > > > ________________________________ > From: Kristian Smith > <[email protected]<mailto:[email protected]>> > Sent: Thursday, August 14, 2025 8:39 AM > To: Alexander Bokovoy (Samba) <[email protected]<mailto:[email protected]>> > Cc: > [email protected]<mailto:[email protected]> > <[email protected]<mailto:[email protected]>>; > Microsoft Support > <[email protected]<mailto:[email protected]>> > Subject: RE: [EXTERNAL] Network Ticket Logon clarification - > TrackingID#2508140040006509 > > [DocHelp to Bcc] > > Hi Alexander, > > Thanks for reaching out with your Kerberos/Netlogon question. I've created > case 2508140040006509 to track the issue. One of our engineers will > investigate this and contact you soon. > > Regards, > Kristian Smith > Support Escalation Engineer | Microsoft(r) Corporation > Email: > [email protected]<mailto:[email protected]> > > -----Original Message----- > From: Alexander Bokovoy <[email protected]<mailto:[email protected]>> > Sent: Thursday, August 14, 2025 5:41 AM > To: Interoperability Documentation Help > <[email protected]<mailto:[email protected]>> > Cc: > [email protected]<mailto:[email protected]> > Subject: [EXTERNAL] Network Ticket Logon clarification > > Hello Dochelp, > > I am reading through MS-KILE v45 update that was published this week > (v20250811) and trying to understand how would KDC receive the request which > processing is described in the section [MS-KILE] 3.3.5.8 Network Ticket Logon. > > As referenced in [MS-KILE] 3.3.5.8, [MS-NRPC] 3.2.4.2 describes the process > on the Netlogon side, namely: > > -------------------------------------- > Broadly, there are five major steps in the network ticket logon process: > > - The Kerberos client prepares and makes a request (see [MS-APDS] > sections 3.2.5.1 and 3.2.5.2) > > - Netlogon delivers the request (see section 3.2.4.2.1) > > - The Key Distribution Center (KDC) processes the request and sends > a reply (see [MS-KILE] section 3.3.5.8.1) > > - Netlogon processes the reply and sends it to the client (see > section 3.2.4.2.2) > > - The Kerberos client receives the reply (see [MS-APDS] section > 3.2.5.4) > ------------------------------------- > > My question is related to the steps 'Netlogon delivers the request' > and 'KDC processes the requests and sends a reply'. Unfortunately, > neither [MS-NRPC] > 3.2.4.2.1 nor [MS-KILE] 3.3.5.8.1 clarify how exactly Netlogon and KDC > communicate the request between each other. > > Could you please clarify it? > > Is it a specially formatted TGS-REQ? Or is it some special form of a > back-channel between these components? > > -- > / Alexander Bokovoy -- / Alexander Bokovoy _______________________________________________ cifs-protocol mailing list [email protected] https://lists.samba.org/mailman/listinfo/cifs-protocol
