S4U2proxy & requires_preauth services.
Peter Mogensen
apm at one.com
Sat Feb 22 09:48:19 EST 2014
Hi,
I noticed that the KDC doesn't copy the pre-authent flag from the client
evidence ticket to the issued ticket during S4U2proxy TGS requests.
It seems to rely on the pre-authentication status of the service
requesting the TGS req.
I couldn't find anything in the Microsoft SFU spec, about correct behaviour.
I haven't thought through whether there should be any problems in doing
it but regardless it results in a dilemma at the target service.
Should it require preauth or not? Disabling "requires preauth" on the
target service make it work for the services using S4U2proxy, ... but on
the other hand also disables the preauth requirement for clients
accessing the target service directly.
regards,
/Peter
PS: Nobody answered this question about cross realm S4U2proxy, so I'll
take the opportunity to mention it again:
http://mailman.mit.edu/pipermail/kerberos/2014-January/019438.html
More information about the Kerberos
mailing list