Constrained Delegation using s4u2Self and S4u2Proxy

[Tapas Sharma]

Hi Krb Dev's,

I am writing a proxy for SQL Server, where in I want to also authenticate
the clients that want to connect using Kerberos.
The proxy server sits in between the client and the sql server, and
authenticates requests of the following types currently
1.NTLM
2. SQL Authentication.

The AP_REQ the client send is wrapped in TDS -> GSS-API -> AP_REQ using the
KRB5 mechanism. I was able to successfully accept the AP_REQ the client
send if not in SPNEGO.

The problem that I am facing is 2 folds
1. SPNEGO wrapped Kerberos AP_REQ's are not being accepted using
gss_accept_sec_context()
2. S4U2Proxy generated AP_REQ sent to the SQL Server results in an error
with the message being (The login is from an untrusted domain.)

Looking into the kerberos logs, I was able to successfully get S4u2Self and
S4u2Proxy done, but I hit the second issue while sending the AP_REQ to the
SQL Server. I verified the AP_REQ generated by
gss_init_sec_context(with_delegated_creds and impersonation_context) by
sending it to my proxy again, and was able to extract all the information
needed to authenticate.

Was there a change in KRB5-1.14.4 where SPNEGO cannot be decoded by
gss_accept_sec_context(), since I was able to get the flags requested by
the client but then got the GSS_BAD_TOKEN error code.

Any pointers or help regarding the protocol transition and constrained
delegation using MIT KRB5 will really be helpful, I am currently using the
t_s4u.c and s4u2proxy.c as my guides to develop this layer.

-----------------------------
Regards,
Tapas Sharma