[38955] in Kerberos
Query regarding S4U2Self protocol extension
daemon@ATHENA.MIT.EDU (Vipul Mehta)
Fri Jul 23 18:27:04 2021
MIME-Version: 1.0
From: Vipul Mehta <vipulmehta.1989@gmail.com>
Date: Sat, 24 Jul 2021 02:08:21 +0530
Message-ID: <CAMeQEL8+JGoqgh-j62duJBMLLoOKVPEZRWbC4mxLtdB-3ggwtw@mail.gmail.com>
To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi,
To perform constrained delegation from Service A to Service B, forwardable
flag must be set in the S4U2Self service ticket returned by KDC to Service
A.
I did some testing with Windows KDC and it will set forwardable flag in
S4U2Self service ticket in either of the following cases:
1) TrustedToAuthForDelegation is set to true in Service A account.
2) Service A TGT used in S4U2Self has forwardable flag set and
msDS-AllowedToDelegateTo list is empty on Service A account.
I am not able to understand why msDS-AllowedToDelegateTo needs to be empty
in the 2nd case.
Is the behavior of MIT KDC the same as Windows KDC ?
In my test, I have configured resource based constrained delegation in
Service B (principalsAllowedToDelegateTo).
--
Regards,
Vipul
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
