[38956] in Kerberos
Re: Query regarding S4U2Self protocol extension
daemon@ATHENA.MIT.EDU (Vipul Mehta)
Fri Jul 23 18:27:05 2021
MIME-Version: 1.0
In-Reply-To: <CAMeQEL8+JGoqgh-j62duJBMLLoOKVPEZRWbC4mxLtdB-3ggwtw@mail.gmail.com>
From: Vipul Mehta <vipulmehta.1989@gmail.com>
Date: Sat, 24 Jul 2021 03:52:56 +0530
Message-ID: <CAMeQEL9+g2rZuVh6Azfqb4Ryd5QK7-b95Zc=DTX+4Z2ou97D-w@mail.gmail.com>
To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Did some more digging and found out following:
Service ticket used in S4U2Proxy need not be forwardable if resource based
constrained delegation is used i.e. principalsAllowedToDelegateTo option is
configured on Service B.
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/dd1b47f9-580c-4c4e-8f34-4485b9728331
This is proved here:
https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html#serendipity
On Sat, Jul 24, 2021 at 2:08 AM Vipul Mehta <vipulmehta.1989@gmail.com>
wrote:
> Hi,
>
> To perform constrained delegation from Service A to Service B,
> forwardable flag must be set in the S4U2Self service ticket returned by KDC
> to Service A.
>
> I did some testing with Windows KDC and it will set forwardable flag in
> S4U2Self service ticket in either of the following cases:
>
> 1) TrustedToAuthForDelegation is set to true in Service A account.
>
> 2) Service A TGT used in S4U2Self has forwardable flag set and
> msDS-AllowedToDelegateTo list is empty on Service A account.
> I am not able to understand why msDS-AllowedToDelegateTo needs to be empty
> in the 2nd case.
>
> Is the behavior of MIT KDC the same as Windows KDC ?
> In my test, I have configured resource based constrained delegation in
> Service B (principalsAllowedToDelegateTo).
>
> --
> Regards,
> Vipul
>
--
Regards,
Vipul
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
