[EXTERNAL] Re: Kerberos Constrained Delegation and Credential Caching

Nebergall, Christopher cneberg at sandia.gov
Wed Mar 13 11:33:38 EDT 2013

Do you have an idea why I can't get t_s4u test program in 1.11.1 running against Windows 2008 R2 SP 1?

Set up comments from t_s4u.c
 * Test program for protocol transition (S4U2Self) and constrained delegation
 * (S4U2Proxy)
 * Note: because of name canonicalization, the following tips may help
 * when configuring with Active Directory:
 * - Create a computer account FOO$
 * - Set the UPN to host/foo.domain (no suffix); this is necessary to
 *   be able to send an AS-REQ as this principal, otherwise you would
 *   need to use the canonical name (FOO$), which will cause principal
 *   comparison errors in gss_accept_sec_context().
 * - Add a SPN of host/foo.domain
 * - Configure the computer account to support constrained delegation with
 *   protocol transition (Trust this computer for delegation to specified
 *   services only / Use any authentication protocol)
 * - Add host/foo.domain to the keytab (possibly easiest to do this
 *   with ktadd)
 * For S4U2Proxy to work the TGT must be forwardable too.
 * Usage eg:
 * kinit -k -t test.keytab -f 'host/test.win.mit.edu at WIN.MIT.EDU'
 * ./t_s4u p:delegtest at WIN.MIT.EDU p:HOST/WIN-EQ7E4AA2WR8.win.mit.edu at WIN.MIT.EDU test.keytab

>>Set the UPN to host/foo.domain (no suffix);

I can't do this step, if I don't put @TOPHERVILLE.COM at the end of the UPN, then I can't do a kinit with the impersonator account.

-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf Of Nebergall, Christopher
Sent: Tuesday, March 12, 2013 3:04 PM
To: Greg Hudson
Cc: kerberos at mit.edu
Subject: RE: [EXTERNAL] Re: Kerberos Constrained Delegation and Credential Caching

Thank you I believe that will be very helpful but I'm unable to test because while I could get constrained delegation working with the t_s4u test program in 1.10.3 I can't get the test program to work with the same accounts in 1.11.1.    The test AD Server is windows 2008 R2 SP 1 in both cases.

./t_s4u p:testusr1 at TOPHERVILLE.COM p:host/testkcd2.topherville.com at TOPHERVILLE.COM /tmp/kcd_keytab_tv Protocol transition tests follow

gss_acquire_cred_impersonate_name: Unspecified GSS failure.  Minor code may provide more information
gss_acquire_cred_impersonate_name: KDC has no support for padata type

-----Original Message-----
From: Greg Hudson [mailto:ghudson at MIT.EDU]
Sent: Monday, March 11, 2013 10:44 PM
To: Nebergall, Christopher
Cc: kerberos at mit.edu
Subject: [EXTERNAL] Re: Kerberos Constrained Delegation and Credential Caching

On 03/11/2013 08:23 PM, Nebergall, Christopher wrote:
> Does anyone have any tips on copying the credentials created from Kerberos constrained delegation to a credentials cache file and back in again?

This is only possible with 1.11 or later.  We use the subject principal as the default ccache principal, and set a ccache config variable to remember the impersonating service principal.  More details at:


Kerberos mailing list           Kerberos at mit.edu

More information about the Kerberos mailing list