S4U2proxy & requires_preauth services.

Greg Hudson ghudson at MIT.EDU
Sun Feb 23 11:07:31 EST 2014


On 02/22/2014 09:48 AM, Peter Mogensen wrote:
> I noticed that the KDC doesn't copy the pre-authent flag from the client 
> evidence ticket to the issued ticket during S4U2proxy TGS requests.
> It seems to rely on the pre-authentication status of the service 
> requesting the TGS req.
> I couldn't find anything in the Microsoft SFU spec, about correct behaviour.

I'm not sure what's correct either.  Heimdal also copies that flag from
the TGT.  I don't believe ticket flags are covered by AD-SIGNEDPATH, so
I don't think we can be sure that they weren't modified by the
requesting service.

> I haven't thought through whether there should be any problems in doing 
> it but regardless it results in a dilemma at the target service.
> Should it require preauth or not? Disabling "requires preauth" on the 
> target service make it work for the services using S4U2proxy, ... but on 
> the other hand also disables the preauth requirement for clients 
> accessing the target service directly.

I don't recommend using the requires_preauth flag on service principals
(unless you require it on every principal in the DB, which is a
reasonable option in a new deployment).  If we had a time machine, we
would probably only give a meaning for the requires_preauth flag on
client principals.


More information about the Kerberos mailing list