S4U2proxy & requires_preauth services.

Peter Mogensen apm at one.com
Sat Feb 22 09:48:19 EST 2014


Hi,

I noticed that the KDC doesn't copy the pre-authent flag from the client 
evidence ticket to the issued ticket during S4U2proxy TGS requests.
It seems to rely on the pre-authentication status of the service 
requesting the TGS req.
I couldn't find anything in the Microsoft SFU spec, about correct behaviour.

I haven't thought through whether there should be any problems in doing 
it but regardless it results in a dilemma at the target service.
Should it require preauth or not? Disabling "requires preauth" on the 
target service make it work for the services using S4U2proxy, ... but on 
the other hand also disables the preauth requirement for clients 
accessing the target service directly.

regards,
/Peter

PS: Nobody answered this question about cross realm S4U2proxy, so I'll 
take the opportunity to mention it again:
http://mailman.mit.edu/pipermail/kerberos/2014-January/019438.html


More information about the Kerberos mailing list