[38966] in Kerberos
Re: Query regarding S4U2Self protocol extension
daemon@ATHENA.MIT.EDU (Vipul Mehta)
Wed Jul 28 12:16:13 2021
MIME-Version: 1.0
In-Reply-To: <CAC-fF8S7PSPdFuVT31zEgkyiQ2WPyESRzY28FSOxSXh7=01rYw@mail.gmail.com>
From: Vipul Mehta <vipulmehta.1989@gmail.com>
Date: Wed, 28 Jul 2021 13:39:52 +0530
Message-ID: <CAMeQEL9Wj1Wen2z6+xC2F9na7dn79MGrH9ARzzigsZj3kst1kA@mail.gmail.com>
To: Isaac Boukris <iboukris@gmail.com>
Cc: kerberos <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
I have windows server 2012 R2 with all the security updates installed and
did some tests:
Resource Based Constrained Delegation configured for Service A in Service B
account.
Case 1) Service A : trustedToAuthForDelegation = false and non-empty
msds-AllowedToDelegateTo -> S42U2Self ticket didn't have a forwardable flag
and subsequent S4U2Proxy failed.
Case 2) Service A : trustedToAuthForDelegation = false and empty
msds-AllowedToDelegateTo -> S42U2Self ticket was forwardable and subsequent
S4U2Proxy passed.
Because ticket signature check has been enabled in KDC in the security
update, now I cannot change the forwardable flag from false to true in
S42U2Self ticket in case 1).
On Tue, Jul 27, 2021 at 9:58 PM Isaac Boukris <iboukris@gmail.com> wrote:
> On Tue, Jul 27, 2021 at 6:54 PM Vipul Mehta <vipulmehta.1989@gmail.com>
> wrote:
> >
> > Need a clarification:
> > MIT KDC will set the forwardable flag in S4U2Self ticket in following
> cases
> > (provided account is not sensitive and not part of secure group):
> > 1) ok_to_auth_as_delegate is true
> > or
> > 2) ok_to_auth_as_delegate is false and Service TGT has forwardable flag
> set
>
> In case of 2) we'll also check that
> 'ServicesAllowedToSendForwardedTicketsTo' is empty like in the doc, I
> was just suggesting implementation wise that we do it in the plugin
> instead of the kdc itself, that is when the principal is retrieved the
> plugin will add 'ok_to_auth_as_delegate' if the
> 'ServicesAllowedToSendForwardedTicketsTo' is empty.
>
--
Regards,
Vipul
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
