Delegatable Service Tickets / Microsoft Kerberos
Seiichi Tatsukawa
statsu at us.ibm.com
Wed Feb 25 16:18:36 EST 2004
BDODSON at allstate.com wrote on 02/25/2004 02:14:44 PM:
> I am defining a security approach involving use of delegatable
> service tickets using Microsoft Kerberos implementation. I heard
> from a colleague that this is ill-advised as the Microsoft
> implementation does not properly limit the ticket to delegation only
> by the specific service it was issued for. Can anybody provide
> insight on this issue, re: Is this true and what specific security
> breach scenarios does it open up?
There was the article in April 2003 issue of the MSDN magazine, "Security
Briefs: Exploring S4U Kerberos Extensions in Windows Server 2003".
http://msdn.microsoft.com/msdnmag/issues/03/04/SecurityBriefs/default.aspx
See "The Problem of Delegation" section about the unconstrained
delegation.
--- Seiichi
More information about the Kerberos
mailing list