Resource based kerberos constrained delegation

Stefan Dietiker stefan.dietiker at ergon.ch
Fri Nov 6 07:05:23 EST 2015


Hello

I'm actually building a solution with Kerberos constrained delegation.
Below you can find a brief overview about my setup:

Front-end server: Linux with krb5-libs-1.10.3-42
Back-end sever: Windows 2012 R2 with IIS 8.5
Domain Controller: Windows 2012 R2

Domain: abc.com
System account (used on Front-end server to request a Kerberos ticket on
behalf of an user for Back-end server): abc.com\systemacc
User: abc.com\testuser
SPN (on Back-end server): http/myiis.abc.com

As long as the system account is permitted the "old way" (not resource
based Kerberos constrained delegation), my setup works fine. With Windows
2012 Microsoft has introduced Resource based Kerberos constrained
delegation (see:
https://technet.microsoft.com/en-us/library/hh831477.aspx#BKMK_kerb_const_
del_domains)

My test results are that Kerberos constrained delegation doesn't work if
the authorization decision is configured on the resource-owner (Resource
based KCD). No matter whether all users and SPN are in the same Windows
domain or not (cross domain KCD). The requirements (see technet-link
above) says that Front-end server must run Windows 2012 server. My
Front-end server is a Linux server with krb5-libs ;-). That's why I have a
few questions:
- Is there really a dependency, that krb5-libs must support RBKCD
(Resource based Kerberos constrained delegation)?
- Does krb5-libs support RBKCD?
- If not now, are there any plans to support that?
- If it is already supported, which version is required and what has to be
considered?

Thanks
Stefan


More information about the Kerberos mailing list