[38964] in Kerberos
Re: Query regarding S4U2Self protocol extension
daemon@ATHENA.MIT.EDU (Isaac Boukris)
Wed Jul 28 04:40:56 2021
MIME-Version: 1.0
In-Reply-To: <CAMeQEL9Wj1Wen2z6+xC2F9na7dn79MGrH9ARzzigsZj3kst1kA@mail.gmail.com>
From: Isaac Boukris <iboukris@gmail.com>
Date: Wed, 28 Jul 2021 11:37:58 +0300
Message-ID: <CAC-fF8RhhW2hUm28K4fXMbp-y4_ykkeZQyQFJvQn+AZa__zrBQ@mail.gmail.com>
To: Vipul Mehta <vipulmehta.1989@gmail.com>
Cc: kerberos <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Wed, Jul 28, 2021 at 11:10 AM Vipul Mehta <vipulmehta.1989@gmail.com> wrote:
>
> I have windows server 2012 R2 with all the security updates installed and did some tests:
>
> Resource Based Constrained Delegation configured for Service A in Service B account.
>
> Case 1) Service A : trustedToAuthForDelegation = false and non-empty msds-AllowedToDelegateTo -> S42U2Self ticket didn't have a forwardable flag and subsequent S4U2Proxy failed.
That's expected because the default of 'NonForwardableDelegation' is
enabled I think, so RBCD requires forwardable flag now, if you set
NonForwardableDelegation to disabled (that is to 1 ..), then RBCD
S4U2Proxy will continue to work as before the update.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
