On Аўт, 23 вер 2025, Kristian Smith wrote: > Hi Alexander, > > I have word back from the engineering team on your question. > > Since the netlogon and KDC binaries are hosted on the same machine for > Windows Domain Controllers, the process described is done by the two > binaries communicating with each other directly within LSASS. It is > not via a network call to the KDC like TGS or ticket renewals. > > Apologies for the delayed response, but I hope this helps. Let me know > if you have any follow up questions or concerns.
Thank you. I'd like you to clarify the specification to include this detail. > > Regards, > Kristian Smith > Support Escalation Engineer | MicrosoftR Corporation > Email: [email protected] > > -----Original Message----- > From: Alexander Bokovoy <[email protected]> > Sent: Monday, September 15, 2025 12:14 AM > To: Kristian Smith <[email protected]> > Cc: [email protected]; Microsoft Support > <[email protected]> > Subject: Re: [EXTERNAL] Network Ticket Logon clarification - > TrackingID#2508140040006509 > > Hi Kristian, > > On ���, 12 ��� 2025, Kristian Smith wrote: > > Hi Alexander, > > > > Apologies for the delay in response. Jeff retired last week and I'll > > be taking over this case on his behalf. > > Happy retirement to Jeff! > > > > > I see that you're referencing the 5 steps outlined in [MS-NRPC] > > 3.2.4.2 Network Ticket Logon. You're wondering about the intermediary > > steps between the following: > > > > 2. Netlogon delivers the request (see section > > 3.2.4.2.1<https://nam06.safelinks.protection.outlook.com/?url=https%3A > > %2F%2Flearn.microsoft.com%2Fen-us%2Fopenspecs%2Fwindows_protocols%2Fms > > -nrpc%2F1ff6ce53-dc55-4a9e-af21-cb8ea5de5948&data=05%7C02%7Ckristian.s > > mith%40microsoft.com%7C7e8a1dfecde340595cdc08ddf4278259%7C72f988bf86f1 > > 41af91ab2d7cd011db47%7C1%7C0%7C638935172742366850%7CUnknown%7CTWFpbGZs > > b3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIj > > oiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=tFD6f9LrKw9yuBuurJb4CJ5T > > qRmt1pbedKD1E6UIffQ%3D&reserved=0>) > > 3. The Key Distribution Center > > (KDC)<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F% > > 2Flearn.microsoft.com%2Fen-us%2Fopenspecs%2Fwindows_protocols%2Fms-nrp > > c%2Fb5e7d25a-40b2-41c8-9611-98f53358af66%23gt_6e5aafba-6b66-4fdd-872e- > > 844f142af287&data=05%7C02%7Ckristian.smith%40microsoft.com%7C7e8a1dfec > > de340595cdc08ddf4278259%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C6 > > 38935172742382924%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYi > > OiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7 > > C%7C%7C&sdata=WRe31YWGuS61fgAoX%2FZ4Pj8CqYgoe7KKOjBum65Sczo%3D&reserve > > d=0> processes the request and sends a reply (see > > [MS-KILE]<https://nam06.safelinks.protection.outlook.com/?url=https%3A > > %2F%2Flearn.microsoft.com%2Fen-us%2Fopenspecs%2Fwindows_protocols%2Fms > > -kile%2F2a32282e-dd48-4ad9-a542-609804b02cc9&data=05%7C02%7Ckristian.s > > mith%40microsoft.com%7C7e8a1dfecde340595cdc08ddf4278259%7C72f988bf86f1 > > 41af91ab2d7cd011db47%7C1%7C0%7C638935172742394410%7CUnknown%7CTWFpbGZs > > b3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIj > > oiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=0jnOCUR%2FkECLpQ10ju%2BY > > mx49GXxu43LisHnPTAGIOq8%3D&reserved=0> section > > 3.3.5.8.1<https://nam06.safelinks.protection.outlook.com/?url=https%3A > > %2F%2Flearn.microsoft.com%2Fen-us%2Fopenspecs%2Fwindows_protocols%2Fms > > -kile%2F5445bcc9-1232-42d3-9f66-99f40463a92c&data=05%7C02%7Ckristian.s > > mith%40microsoft.com%7C7e8a1dfecde340595cdc08ddf4278259%7C72f988bf86f1 > > 41af91ab2d7cd011db47%7C1%7C0%7C638935172742405346%7CUnknown%7CTWFpbGZs > > b3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIj > > oiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=5IHVAj4LPgpnwAY%2BooAXwI > > bnxHnWttATxC1vrw5tGno%3D&reserved=0>) > > > > [MS-NRPC] 3.2.4.2.1 discusses what I interpret as 2 stages, dispatch > > to the appropriate DC, and the domain calling the KDC. > > > > Is your question specifically about the call to the KDC after the > > Netlogon request has reached the appropriate DC? > > Correct. There is no description of how Netlogon is supposed to request the > check from KDC and how KDC should respond. I'd like to see that documented > because there is no existing Kerberos protocol message exchange for this > operation and none of the custom changes are documented anywhere. > > > > > Regards, > > Kristian Smith > > Support Escalation Engineer | Microsoft(r) Corporation > > Email: > > [email protected]<mailto:[email protected]> > > > > From: Jeff McCashland (He/him) <[email protected]> > > Sent: Monday, August 18, 2025 3:37 PM > > To: Alexander Bokovoy (Samba) <[email protected]> > > Cc: [email protected]; Microsoft Support > > <[email protected]> > > Subject: Re: [EXTERNAL] Network Ticket Logon clarification - > > TrackingID#2508140040006509 > > > > [Kristian to BCC] > > > > Hi Alexander, > > > > I will research the logon interaction and see what I can find. > > > > > > Best regards, > > Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft > > Corporation > > > > Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: > > (UTC-08:00) Pacific Time (US and Canada) > > > > Local country phone number found here: > > https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsuppo > > rt.microsoft.com%2Fglobalenglish&data=05%7C02%7Ckristian.smith%40micro > > soft.com%7C7e8a1dfecde340595cdc08ddf4278259%7C72f988bf86f141af91ab2d7c > > d011db47%7C1%7C0%7C638935172742415347%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0 > > eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIl > > dUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=4Gi%2BixHH7De49Hi%2F03sd4FUmUk7urjDG > > 6UaTZtOGTZ0%3D&reserved=0 | Extension 1138300 > > > > > > > > ________________________________ > > From: Kristian Smith > > <[email protected]<mailto:[email protected]>> > > Sent: Thursday, August 14, 2025 8:39 AM > > To: Alexander Bokovoy (Samba) <[email protected]<mailto:[email protected]>> > > Cc: > > [email protected]<mailto:[email protected]> > > <[email protected]<mailto:[email protected]>>; > > Microsoft Support > > <[email protected]<mailto:[email protected]>> > > Subject: RE: [EXTERNAL] Network Ticket Logon clarification - > > TrackingID#2508140040006509 > > > > [DocHelp to Bcc] > > > > Hi Alexander, > > > > Thanks for reaching out with your Kerberos/Netlogon question. I've created > > case 2508140040006509 to track the issue. One of our engineers will > > investigate this and contact you soon. > > > > Regards, > > Kristian Smith > > Support Escalation Engineer | Microsoft(r) Corporation > > Email: > > [email protected]<mailto:[email protected]> > > > > -----Original Message----- > > From: Alexander Bokovoy <[email protected]<mailto:[email protected]>> > > Sent: Thursday, August 14, 2025 5:41 AM > > To: Interoperability Documentation Help > > <[email protected]<mailto:[email protected]>> > > Cc: > > [email protected]<mailto:[email protected]> > > Subject: [EXTERNAL] Network Ticket Logon clarification > > > > Hello Dochelp, > > > > I am reading through MS-KILE v45 update that was published this week > > (v20250811) and trying to understand how would KDC receive the request > > which processing is described in the section [MS-KILE] 3.3.5.8 Network > > Ticket Logon. > > > > As referenced in [MS-KILE] 3.3.5.8, [MS-NRPC] 3.2.4.2 describes the process > > on the Netlogon side, namely: > > > > -------------------------------------- > > Broadly, there are five major steps in the network ticket logon process: > > > > - The Kerberos client prepares and makes a request (see [MS-APDS] > > sections 3.2.5.1 and 3.2.5.2) > > > > - Netlogon delivers the request (see section 3.2.4.2.1) > > > > - The Key Distribution Center (KDC) processes the request and sends > > a reply (see [MS-KILE] section 3.3.5.8.1) > > > > - Netlogon processes the reply and sends it to the client (see > > section 3.2.4.2.2) > > > > - The Kerberos client receives the reply (see [MS-APDS] section > > 3.2.5.4) > > ------------------------------------- > > > > My question is related to the steps 'Netlogon delivers the request' > > and 'KDC processes the requests and sends a reply'. Unfortunately, > > neither [MS-NRPC] > > 3.2.4.2.1 nor [MS-KILE] 3.3.5.8.1 clarify how exactly Netlogon and KDC > > communicate the request between each other. > > > > Could you please clarify it? > > > > Is it a specially formatted TGS-REQ? Or is it some special form of a > > back-channel between these components? > > > > -- > > / Alexander Bokovoy > > > -- > / Alexander Bokovoy -- / Alexander Bokovoy
_______________________________________________ cifs-protocol mailing list [email protected] https://lists.samba.org/mailman/listinfo/cifs-protocol
