Windows KDC - Delegation Option
Russ Allbery
eagle at eyrie.org
Fri Apr 25 23:56:35 EDT 2014
Ben H <bhendin at gmail.com> writes:
> Based on your prior explanation I can't help but infer this means that
> although the new forwardable TGT session key may be different than my
> original TGT, it is still shared between all hosts that I delegate to,
> leading to a possible attack against all systems should one be
> compromised? Is this the reason that MIT chooses to request a new TGT
> for each connection?
A new delegated TGT is retrieved for each delegation normally because the
receiving host's IP address is (well, can be -- see below) encoded in the
ticket. Kerberos tickets encode the host that is supposed to have the
ticket... except that this has become essentially useless on the modern
Internet with NAT, and it never provided much in the way of security
anyway. So there are some vestiges of support for that behavior around,
but basically everyone disables addresses in tickets.
Windows probably realizes that the tickets are addressless and therefore
doesn't bother to get another delegated ticket. (You still have to do it
once to get a ticket with the correct flags.)
--
Russ Allbery (eagle at eyrie.org) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list