Forwardable TGT - Windows vs MIT behavior?
Ray Van Dolson
rvandolson at esri.com
Sat Apr 23 12:47:59 EDT 2016
On Sat, Apr 23, 2016 at 09:41:47AM -0700, Ray Van Dolson wrote:
> Using PuTTY from a domain-joined Windows 7 machine, with that machine's
> PuTTY stack configured to allow credential delegation and connecting to
> a RHEL7 server, also joined to AD but *not* configured in AD to be
> trusted for delegation, I do not get a TGT added to my cache when I
> connect.
>
> However, if I use MIT Kerberos on the Windows side to obtain the ticket
> and then configure PuTTY to prefer MIT over MS SPI, and connect to the
> same RHEL7 machine, I *do* get a forwarded TGT (klist -f: Flags: FfPRA)
>
> PuTTY w/ MS SSPI works *if* I go into AD and set the target server up
> to be configured for delegation trust.
>
> Can someone explain the difference in behavior? Almost feels like the
> ticket the MIT stack is providing to PuTTY is different than the MS
> stack's ticket.
>
> I also see this alluded to elsewhere[1].
>
> Thanks,
> Ray
Apologies for self-reply, but perhaps this is the reason?
http://mailman.mit.edu/pipermail/kerberos/2014-February/019500.html
Ray
More information about the Kerberos
mailing list