[EXTERNAL] Re: Kerberos Constrained Delegation and Credential Caching
cneberg at sandia.gov
Wed Mar 13 11:33:38 EDT 2013
Do you have an idea why I can't get t_s4u test program in 1.11.1 running against Windows 2008 R2 SP 1?
Set up comments from t_s4u.c
* Test program for protocol transition (S4U2Self) and constrained delegation
* Note: because of name canonicalization, the following tips may help
* when configuring with Active Directory:
* - Create a computer account FOO$
* - Set the UPN to host/foo.domain (no suffix); this is necessary to
* be able to send an AS-REQ as this principal, otherwise you would
* need to use the canonical name (FOO$), which will cause principal
* comparison errors in gss_accept_sec_context().
* - Add a SPN of host/foo.domain
* - Configure the computer account to support constrained delegation with
* protocol transition (Trust this computer for delegation to specified
* services only / Use any authentication protocol)
* - Add host/foo.domain to the keytab (possibly easiest to do this
* with ktadd)
* For S4U2Proxy to work the TGT must be forwardable too.
* Usage eg:
* kinit -k -t test.keytab -f 'host/test.win.mit.edu at WIN.MIT.EDU'
* ./t_s4u p:delegtest at WIN.MIT.EDU p:HOST/WIN-EQ7E4AA2WR8.win.mit.edu at WIN.MIT.EDU test.keytab
>>Set the UPN to host/foo.domain (no suffix);
I can't do this step, if I don't put @TOPHERVILLE.COM at the end of the UPN, then I can't do a kinit with the impersonator account.
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf Of Nebergall, Christopher
Sent: Tuesday, March 12, 2013 3:04 PM
To: Greg Hudson
Cc: kerberos at mit.edu
Subject: RE: [EXTERNAL] Re: Kerberos Constrained Delegation and Credential Caching
Thank you I believe that will be very helpful but I'm unable to test because while I could get constrained delegation working with the t_s4u test program in 1.10.3 I can't get the test program to work with the same accounts in 1.11.1. The test AD Server is windows 2008 R2 SP 1 in both cases.
./t_s4u p:testusr1 at TOPHERVILLE.COM p:host/testkcd2.topherville.com at TOPHERVILLE.COM /tmp/kcd_keytab_tv Protocol transition tests follow
gss_acquire_cred_impersonate_name: Unspecified GSS failure. Minor code may provide more information
gss_acquire_cred_impersonate_name: KDC has no support for padata type
From: Greg Hudson [mailto:ghudson at MIT.EDU]
Sent: Monday, March 11, 2013 10:44 PM
To: Nebergall, Christopher
Cc: kerberos at mit.edu
Subject: [EXTERNAL] Re: Kerberos Constrained Delegation and Credential Caching
On 03/11/2013 08:23 PM, Nebergall, Christopher wrote:
> Does anyone have any tips on copying the credentials created from Kerberos constrained delegation to a credentials cache file and back in again?
This is only possible with 1.11 or later. We use the subject principal as the default ccache principal, and set a ccache config variable to remember the impersonating service principal. More details at:
Kerberos mailing list Kerberos at mit.edu
More information about the Kerberos