[20458] in Kerberos_V5_Development
Re: [External] : Re: Windows Credential Guard with MSLSA
daemon@ATHENA.MIT.EDU (Seshan Parameswaran)
Wed Oct 11 18:48:38 2023
From: Seshan Parameswaran <seshan.parameswaran@oracle.com>
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>,
Alexander Bokovoy
<abokovoy@redhat.com>
CC: "krbdev@mit.edu" <krbdev@mit.edu>
Date: Wed, 11 Oct 2023 22:46:39 +0000
Message-ID: <BYAPR10MB3479518436C84B6976625D0A9DCCA@BYAPR10MB3479.namprd10.prod.outlook.com>
In-Reply-To: <202309071725.387HP41J022246@hedwig.cmf.nrl.navy.mil>
Content-Language: en-US
MIME-Version: 1.0
Content-Type: text/plain; charset="windows-1252"
Errors-To: krbdev-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Hi
I have a follow up question on the client doesn’t forward the TGT. If I set the user account on the AD directory host to support delegation, the client would send a forwardable TGT to the server. The server then can use that TGT to obtain its own TGT and follow the rest of the steps as detailed below. Please let me know if that is a possibility.
Thanks
Seshan
From: krbdev <krbdev-bounces@mit.edu> on behalf of Ken Hornstein via krbdev <krbdev@mit.edu>
Date: Thursday, September 7, 2023 at 10:30 AM
To: Alexander Bokovoy <abokovoy@redhat.com>
Cc: krbdev@mit.edu <krbdev@mit.edu>
Subject: Re: [External] : Re: Windows Credential Guard with MSLSA
>A sample implementation of S4U operations using raw Kerberos 5 API can
>be found in kvno utility source code.
I did see that! But it is a little unclear to me how exactly that
works in an application server.
Hm, it is entirely possible I am overthinking it a bit; it seems
like the "normal" case is you just use the regular service ticket as
the evidence ticket. So I guess that would look like:
- The client is unchanged (well, they don't foward a TGT)
- The application server gets a TGT for itself using it's own service key
(tons of ways doing that) and places that in a credential cache.
- The application server takes the decrypted ticket from krb5_rd_req()
(or the equivalent) and calls krb5_get_credentials_for_proxy() to
perform the S4U2Proxy request. Sadly, krb5_get_credentials_for_proxy()
is not in the public krb5.h header file. Sigh.
--Ken
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://urldefense.com/v3/__https://mailman.mit.edu/mailman/listinfo/krbdev__;!!ACWV5N9M2RV99hQ!OvZ8qr5KJ7Ep8DEPqLkUP0d6l4CrLPfpnBV53PovnoboTFwdu2r270M1c6NTxpMqVgG4gEFvNjyAFH7nNu441w$<https://urldefense.com/v3/__https:/mailman.mit.edu/mailman/listinfo/krbdev__;!!ACWV5N9M2RV99hQ!OvZ8qr5KJ7Ep8DEPqLkUP0d6l4CrLPfpnBV53PovnoboTFwdu2r270M1c6NTxpMqVgG4gEFvNjyAFH7nNu441w$>
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
