Constrained Delegation and PAC : Realm crossover

Simo Sorce simo at
Thu Oct 15 10:06:18 EDT 2015

On 15/10/15 08:00, Rick van Rein wrote:
> Hello,
> Does anyone on this list have S4U2Proxy or "Constrained Delegation"
> experience?


> I know that the security is based on a PAC, but it is unclear where it
> is enforced -- in the benevolent service, or in the KDC.

Can be either, however according to MS specs the KDC is vouching for the 
contents, and can (should) apply SID filtering (for example), to remove 
unwanted Identifiers, from another domain.

> And, if it is the KDC, which one if client and service realms differ?

The client's KDC produces it, the service's KDC inspects it, perhaps 
changes it and then re-signs it therefore approving its use.

> The client provides a Forwarded TGT along with the session key on it, so
> I presume it is the client's KDC who applies policy (to avoid that a
> webmail service uses more than imap and smtp backend services).

Both KDCs are involved.

> Don't worry about pointing me to specs (or sections therein) if I missed
> the hints.  Since I don't use Windows I'm already getting at this from
> the "outside", reading specs, but it's not easy to see the whole picture.

Documetns you may want to read:

Simo Sorce * Red Hat, Inc * New York

More information about the Kerberos mailing list