S4U2proxy & requires_preauth services.
Greg Hudson
ghudson at MIT.EDU
Sun Feb 23 11:07:31 EST 2014
On 02/22/2014 09:48 AM, Peter Mogensen wrote:
> I noticed that the KDC doesn't copy the pre-authent flag from the client
> evidence ticket to the issued ticket during S4U2proxy TGS requests.
> It seems to rely on the pre-authentication status of the service
> requesting the TGS req.
> I couldn't find anything in the Microsoft SFU spec, about correct behaviour.
I'm not sure what's correct either. Heimdal also copies that flag from
the TGT. I don't believe ticket flags are covered by AD-SIGNEDPATH, so
I don't think we can be sure that they weren't modified by the
requesting service.
> I haven't thought through whether there should be any problems in doing
> it but regardless it results in a dilemma at the target service.
> Should it require preauth or not? Disabling "requires preauth" on the
> target service make it work for the services using S4U2proxy, ... but on
> the other hand also disables the preauth requirement for clients
> accessing the target service directly.
I don't recommend using the requires_preauth flag on service principals
(unless you require it on every principal in the DB, which is a
reasonable option in a new deployment). If we had a time machine, we
would probably only give a meaning for the requires_preauth flag on
client principals.
More information about the Kerberos
mailing list