Douglas E. Engert deengert at
Mon Jul 21 12:05:29 EDT 2008

Michael B Allen wrote:
> On Fri, Jul 18, 2008 at 12:03 PM, Michael Ströder <michael at> wrote:
>> Simon Wilkinson wrote:
>>> On 18 Jul 2008, at 12:13, Michael Ströder wrote:
>>>> Is the TGT sent by the browser in the SPNEGO blob? Up to now I thought
>>>> it's just a service ticket.
>>> SPNEGO is a GSSAPI mechanism, wrapping the Kerberos one. If you set the
>>> deleg_creds flag when calling into the API, then a TGT will be included.
>> Which entity has to set this flag when calling into the API? The web
>> browser or the web server?
> It's the client's responsibility to decide whether or not to include a
> TGT. A client can always request a forwardable TGT in which case it
> can be submitted to the web server. For example on Linux if you do
> kinit -f principal at REALM and then point Firefox at an SPNEGO protected
> page, and it has network.negotiate-auth.delegation-uris set to the
> target domain, it will send the TGT.
> However, if you're using Windows clients in an AD environment and the
> HTTP service account has "Trusted for delegation" turned off, the TGT
> will not be sent.

Just to clarify, A Windows KDC will set the OK-AS-DELEGATE flag in the
  Kerberos flags in the service ticket if the TRUSTED_FOR_DELEGATION
UserAccountControl glag is set for the service account. This is advisory
to the client. But the bit was introduced in Windows first. I have seen
mods to the MIT Kerberos to set this bit and mods in the client to check
if it is set.

Unfortunately the client needs to know if the KDC has implemented the
code to set the bit or not, because the default for the bit is off,
and non windows clients have always assumed delegation was OK. (The bit
should have been NOT-OK-AS-DELEGATE, It would have made introduction of the
feature much cleaner.)

A client using any protocol, should always be very cautious in delegating,
as a delegated TGT is usually as good as the one you get with login or kinit.
SSH has the ssh_config "GSSAPIDelegateCredentials yes" to control delegation.

>> My goal when doing SSO for web applications is that I don't trust the
>> web applications so much not to reveal the user's credentials.

Have you looked at the Sun Access Manager?
Or other SSO products?

> Your choices are based on necessity, not trust. If the web application
> needs delegated credentials (e.g. to authenticate as the user with
> another tier), then you need to send the TGT [1]. If the web app does
> not need delegated credentials then configure your clients not to send
> the TGT (in AD this means simply turning off the "Trusted for
> delegation" flag on the HTTP service account).
> Mike
> [1] Kerberos provides other ways to limit how the TGT can be used and
> to proxy service tickets and such but I don't think browsers have
> support for such things yet.

Too bad, limiting the capabilities of delegated credentials is one of the
areas Kerberos implantations need improvement. It is one of the reasons
Kerberos will not scale well across organization boundaries and makes site
security nervous. The OK-AD-DELEGATE is a step, but its all or nothing.



  Douglas E. Engert  <DEEngert at>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list