Microsoft Open Specifications Support Team Blog

The official blog of the Engineers supporting the Microsoft Open Specifications Documentation

Browse by Tags

Tagged Content List
  • Blog Post: Extended DFS referral for SMB 3

    This blog talks about site-aware DFS referral introduced in Windows Server 2012. Extended DFS referrals provide remote client computers with optimal DFS referrals when the computers connect to the corporate network by using DirectAccess. This blog also describes how to configure a Window 8 client to...
  • Blog Post: SMB 2.x and SMB 3.0 Timeouts in Windows

    This blog talks about common timeouts for SMB dialects 2.x and 3.0 [MS-SMB2] in Windows. It also covers continuous availability timeout, witness keep alive [MS-SWN], and some SMB-Direct timers [MS-SMBD]. The behaviors are generally version-specific and therefore may change in future Windows releases...
  • Blog Post: CIFS and SMB Timeouts in Windows

    This blog gives a consolidated overview of the most common SMB timeouts in Windows and their behaviors. Some of these legacy timeouts or timers are optional, implementation specific, not defined or not required by the protocol specifications. Let’s recall that MS-CIFS documents the protocol implemented...
  • Blog Post: Encryption in SMB 3.0: A protocol perspective

    Encryption is one of the new SMB 3.0 security enhancements in Windows Server 2012 RTM. It can be enabled on a per-share basis, or enforced for all shares on the server. SMB 3.0 uses AES-CCM [RFC5084] as encryption algorithm, and this also provides data integrity (signing). This blog takes a protocol...
  • Blog Post: Password encryption in establishing a remote assistance session of type 1

    This blog provides details on how the PassStub is used when establishing a remote assistance session of type 1 . It presents the password encryption flow and illustrates with Windows APIs and sample data. Remote assistance overview Remote Assistance (RA) was introduced in Windows XP and enables...
  • Blog Post: Windows Configurations for Kerberos Supported Encryption Type

    In one of my previous blog( http://blogs.msdn.com/b/openspecification/archive/2010/11/17/encryption-type-selection-in-kerberos-exchanges.aspx ) , I have talked about how the encryption types of the various encrypted parts of the Kerberos exchanges are selected. The selections of these encryption types...
  • Blog Post: Implementing the Algorithm for Deriving Password and encrypting Connection String in MS-RAIOP

    In Microsoft Open Protocol documents, there are many algorithms that involve with crypto operations in some particular ways. Sometimes the protocol documents also provide specific protocol examples that include the initial input, the intermediate results and the final result for each step of the algorithm...
  • Blog Post: Notes on Kerberos kvno in Windows RODC environment

    This blog talks about key version number (kvno) in a read-only domain controller (RODC) environment. A previous blog introduced kvno in general. Here, I look at specifics in RODC environment. For a refresher, the kvno is a field of the EncryptedData structure ( RFC4120 Section 5.2.9). It indicates...
  • Blog Post: Encryption Type Selection in Kerberos Exchanges

    The types of encryption used in various Kerberos exchanges are very important and sometime confusing aspects of the Kerberos implementation. We not only need to understand the Kerberos RFC (RFC 4120, RFC 3961 etc) that specifies generally how the encryption types should be selected, but also the effects...
  • Blog Post: Notes on sparse files and file sharing

    Sparse files are generally referred to as files, often large, that contain only a small amount of nonzero data relative to their size. In this blog, I would like to chat about sparse files on Windows operating systems and the related SMB commands. From an inter-operability perspective, I intend to discuss...
  • Blog Post: Understanding the minimum set of DIT elements required by the first DC using MS-ADTS

    Active Directory contains a group of objects that also have a group of attributes. All of them exist for some reasons. Some of them are essential for the existence of Active Directory, while others are stored and used by other applications, such as Exchange Server, Terminal Server etc. When a Domain...
  • Blog Post: Inside look at one of the domain controller promotion process using DCPromo

    In order to add an additional domain controller to an existing domain, DCPromo must be used to complete the task. The process will install the AD DS on the Windows Server, join the machine to the domain and replicate all partitions from the existing domain controller. The steps for running DCPromo to...
  • Blog Post: Verifying the server signature in Kerberos Privilege Account Certificate

    This blog post focuses on understanding how a server signature is verified in a Kerberos Privilege Account Certificate (PAC). A PAC contains two signatures: a server signature and a KDC signature. In a previous blog , I introduced PAC validation, whereby the server requests the KDC to verify the PAC...
  • Blog Post: Reflecting on another successful Interoperability Lab event

    Engagement with partners is an integral part of achieving interoperability with Windows. In addition to helping users of the Microsoft Open Protocol Specifications, our team participates in a regular basis in interoperability labs dedicated to specific areas of focus of our partners. Sun Microsystems...
  • Blog Post: To KVNO or not to KVNO, what is the version!?

    Shakespeare knew nothing about Kerberos V5… Nothing! But, I still like him! And that, despite the fact that he had the audacity to paraphrase me in his play “Hamlet”. Of course no one believes me! I must admit it would be much easier to convince you about this historic truth...
  • Blog Post: Using Openssl to implement Crypto Operations in Netlogon Remote Protocol

    Background The Netlogon Remote Protocol remote procedure call (RPC) interface is used primarily by Microsoft Windows to maintain the relationship between a machine and its domain. In the protocol, a client delivers a logon request to the domain controller over an established secure channel between...
  • Blog Post: A successful story of an Interoperability Lab event

    As the protocol documentation support team, we have the responsibility of helping the users of our published Microsoft Open Protocol Documentation achieve successful interoperability with Windows. There's more to interoperability than just good technical documentation; engagement with partners is essential...
  • Blog Post: msDS-SupportedEncryptionTypes – Episode 1 - Computer accounts

    Introduction In order to be concise with this article, I need to assume that the reader is familiar with Kerberos and Active Directory. If not, then I can quickly think of two scenarios: 1) Your favorite search engine ( Bing in my case) took you here as a misunderstanding. 2) You came because...
  • Blog Post: Stronger Keys for Netlogon Remote Protocol in Windows 7

    Background Netlogon Remote Protocol (MS-NRPC) provides a secure communication between domain members and domain controllers. In the protocol, a client delivers a logon request to the domain controller over an established secure channel between a DC and clients. The secure channel is achieved by encrypting...
  • Blog Post: S4U_DELEGATION_INFO and Constrained Delegation

    Background The constrained delegation extension, also called S4Uproxy , is one of the Service for User (S4U) extensions to Kerberos protocol. It allows a service to obtain service tickets to a subset of other services on behalf of the user. The service can then present the tickets to the other service...
  • Blog Post: Understanding unique attributes in Active Directory

    In this blog, I would like to help the reader understand the rules that govern unique attributes in Active Directory (AD) along with the Open Protocols documentation set. I provide examples for user naming attributes. I also clarify common misunderstandings about attribute uniqueness and attribute indexing...
  • Blog Post: SMB 2.1 Multi-Credit (Large MTU) Operations

    One design goal for the SMB 2.1 protocol implementation on Windows 2008 R2 and Windows 7 was to achieve better performance for 10 Gigabit Ethernet (very high speed / low latency networks). This has been achieved with a new feature called ‘Large MTU’, or ‘multi-credit’ operations. The maximum transmission...
  • Blog Post: PEAP Phase 2 encapsulation examples for a client authenticating with MS-CHAPv2

    Protected Extensible Authentication Protocol, or Protected EAP ( PEAP ) uses EAP as a transport. The Transport Layer Security (TLS) tunnel established in Phase 1 is utilized to protect messages exchanged (e.g. authentication credentials) in Phase 2 against eavesdropping or man-in-the-middle attacks....
  • Blog Post: Client caching features: Oplock vs. Lease

    Opportunistic locks ,or oplock is a client caching mechanism that allows SMB/SMB2 clients to dynamically decide the client-side buffering strategy so the network traffic can be minimized. For example, a client can buffer data for writing locally to reduce network packets if the client is notified there...
  • Blog Post: Understanding Microsoft Kerberos PAC Validation

    This blog post focuses on understanding Microsoft Kerberos PAC validation. It discusses the topic from inter-operability perspective with Windows operating systems. A SMB session establishment scenario is used to illustrate how PAC validation works. Background Impersonation enables a trusted...
Page 1 of 2 (27 items) 12