Forwardable TGT - Windows vs MIT behavior?

Ray Van Dolson rvandolson at esri.com
Sat Apr 23 12:41:47 EDT 2016


Using PuTTY from a domain-joined Windows 7 machine, with that machine's
PuTTY stack configured to allow credential delegation and connecting to
a RHEL7 server, also joined to AD but *not* configured in AD to be
trusted for delegation, I do not get a TGT added to my cache when I
connect.

However, if I use MIT Kerberos on the Windows side to obtain the ticket
and then configure PuTTY to prefer MIT over MS SPI, and connect to the
same RHEL7 machine, I *do* get a forwarded TGT (klist -f: Flags: FfPRA)

PuTTY w/ MS SSPI works *if* I go into AD and set the target server up
to be configured for delegation trust.

Can someone explain the difference in behavior?  Almost feels like the
ticket the MIT stack is providing to PuTTY is different than the MS
stack's ticket.

I also see this alluded to elsewhere[1].

Thanks,
Ray

[1] http://serverfault.com/questions/646854/putty-kerberos-gssapi-authentication/705889#705889


More information about the Kerberos mailing list