Constrained Delegation and PAC : Realm crossover
Simo Sorce
simo at redhat.com
Thu Oct 15 10:06:18 EDT 2015
On 15/10/15 08:00, Rick van Rein wrote:
> Hello,
>
> Does anyone on this list have S4U2Proxy or "Constrained Delegation"
> experience?
Yes
> I know that the security is based on a PAC, but it is unclear where it
> is enforced -- in the benevolent service, or in the KDC.
Can be either, however according to MS specs the KDC is vouching for the
contents, and can (should) apply SID filtering (for example), to remove
unwanted Identifiers, from another domain.
> And, if it is the KDC, which one if client and service realms differ?
The client's KDC produces it, the service's KDC inspects it, perhaps
changes it and then re-signs it therefore approving its use.
> The client provides a Forwarded TGT along with the session key on it, so
> I presume it is the client's KDC who applies policy (to avoid that a
> webmail service uses more than imap and smtp backend services).
Both KDCs are involved.
> Don't worry about pointing me to specs (or sections therein) if I missed
> the hints. Since I don't use Windows I'm already getting at this from
> the "outside", reading specs, but it's not easy to see the whole picture.
Documetns you may want to read:
MS-KILE: https://msdn.microsoft.com/en-us/library/cc233855.aspx
MS-PAC: https://msdn.microsoft.com/en-us/library/cc237917.aspx
--
Simo Sorce * Red Hat, Inc * New York
More information about the Kerberos
mailing list