[19663] in Kerberos_V5_Development
cross-realm Kerberos constrained delegation [S4U2Self]
daemon@ATHENA.MIT.EDU (Rajesh Kumar Raju)
Tue Sep 26 11:11:04 2017
From: Rajesh Kumar Raju <rajeshkr@pulsesecure.net>
To: "krbdev@mit.edu" <krbdev@mit.edu>
Date: Tue, 26 Sep 2017 09:25:15 +0000
Message-ID: <MWHPR06MB25747EE3A31DF35DD7EAF572DD7B0@MWHPR06MB2574.namprd06.prod.outlook.com>
Content-Language: en-US
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
Dear all ,
Thanks for developing such a wonderful stack .
I got a document MS-SFU.pdf . Below is the content of Page 28 of MS-SFU.pdf .
Below is the step to create S4U2Self :
step1 : The service sends a request to its TGS , TGS-A , for a TGT to TGS B . No S4U2Self Information is included in this request.
step 2: TGS A responds with the cross-realm TGT to TGS-B . if the TGS-B was not the user's realm but was instead just a realm closer , then the service would send a KRB_TGS_REQ message to TGS-B to get a TGT to the next realm .
Note : TGS-A and TGS-B are Ticket Granting server from two different domain.
I am trying to understand step1 and step2 mentioned above . How can I get TGT for TGS B . Generally TGT is for the user .
Thanks in advance
Thanks
Rajesh
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev