Errata

Active Directory

Errata for Active Directory

Submit your own errata for this product.

The errata list is a list of errors and their corrections that were found after the product was released.

The following errata were submitted by our customers and have not yet been approved or disproved by the author or editor. They solely represent the opinion of the customer.

Color Key: Serious technical mistake Minor technical mistake Language or formatting error Typo Question Note Update

Version Location Description Submitted by Date submitted
10
Figures

Text on page 10 says that Figure 2.3 illustrates transitive trust, but it's actually 2.4 that does so. The current Fig 2.4 should be moved to 2.3.

The current figure 2.3 should be 2.4, as referenced at the end of page 11 and caption should read "...domain forest" (instead of tree) as per the text on page 11.

 Cris Simpson  Jul 12, 2013 
Printed Page 85
"How to Work with Bit Masks" sidebar

Book states "In order to do this, you need to do a binary OR operation, which is equivalent to addition:"

I'm not sure if this should be a minor technical issue or a language change issue because in this instance OR and addition yield the same result but this is not universally true and only works because the two numbers do not have the same bits set to 1.

It goes on to instruct the reader where to find the options for binary arithmetic in the windows calculator. Further reinforcing the perception that OR and addition are equivalents.

Without a sufficient understanding of binary operations a reader could easily (and falsely) conclude that they should use addition interchangeably with the OR operation.

Anonymous  Sep 12, 2017 
PDF Page 152
Figure 7-1

all referencing arrows in the table Point from the same number. e.g. line 2 1787 to line 1787.
in line 4 it points from 6499 to line 3 5499. So I think this is a typo.
5499 should be 6499.
Then 5499 is also a typo in column "Ancestors" in line 3 and 4.

 Anonymous  Mar 24, 2015 
Printed, PDF Page 268
Within Figure 10-4

Figure 10-4 which states "The ticket granting service response packet" but yet the actual diagram shows it is a TGS_REQ when it should be a TGS_REP

 CurtusR  Jun 24, 2014 
PDF Page 268, 269
Figure 10-4 and Service Ticket paragraph

You explain that the entire Service Ticket in a TGS_REP is encrypted with a hash of the service's password, but this is not true. If you go to the chapter 5.3 of the RFC4120, the tkt-vno, realm, and sname (Service Principal) are part of the Service Ticket but are not encrypted!! More info can be found in the Ticket Contents table on https://technet.microsoft.com/en-us/library/cc772815(v=ws.10).aspx: "The first three fields in a ticket are not encrypted". This is important because most of the vulnerabilities of the Kerberos protocol are because of this.

 Angel Munoz  Nov 25, 2015 
Printed, PDF Page 269
1st section, 3rd paragraph

This paragraph (Inside the service ticket is a copy of the access token...) implies that there should be a field (value) listed in the ST section of Figure 10-4 though there is not one.

At the WindowsITPro website which uses the same diagrams:
http://windowsitpro.com/security/kerberos-active-directory

This is not shown either. So I believe what should be the case is that this paragraph should either be removed or a sentence added that states that the access token is presented in the ST section for the AS_REQ message and not the TGS_REP. Basically there needs to be clarification when the token information is added to the KRB messages.

Also, I do not see any KRB_AP_REQ or KRB_AP_REP diagrams or further explanation.

 CurtusR  Jun 24, 2014 
Printed, PDF Page 269
Under the Application Access section, last paragraph

Last sentence in this paragraph states, "This is optional and not implemented in most cases"

However, according to TechNet:

http://technet.microsoft.com/en-us/library/cc772815(v=ws.10).aspx#w2k3tr_kerb_how_pzvx

Message 6: The Optional Application Server Response

This message is optional unless mutual authentication is required. The message is used if the client needs to verify the target server's identity. This is requested in an application options field (Mutual Authentication Required) of the KRB_AP_REQ message. If this is requested, the target server will take the client computer's timestamp from the authenticator, encrypt it with the session key that the TGS provided for client/target server messages, and send it to the client.

Note
? Most Windows services request mutual authentication.

 CurtusR  Jun 24, 2014