Question about TGT forwarding

Thomas Maslen (tmaslen) Thomas.Maslen at oneidentity.com
Fri Jun 1 14:54:57 EDT 2018


On Thu, May 31, 2018 at 04:50:36PM -0400, Jason Edgecombe wrote:
[...]
> I have a disagreement with our AD guru on whether or not TGTs are expected
> to be forwarded and if that is a security risk. Everything worked fine a
> few weeks ago.

Windows' own Kerberos client code will only send a delegated TGT if the service ticket contained the OK-AS-DELEGATE flag.

If the KDC issuing the service ticket is Active Directory, it will only set the OK-AS-DELEGATE flag in the service ticket if the Active Directory object for the target of that service ticket has the UF_TRUSTED_FOR_DELEGATION flag set.  In the "Active Directory Users and Computers" GUI, on the Delegation tab, choosing “Trust this user/computer for delegation to any service (Kerberos only)” enables that flag.

So one possibility, I suppose, is that a few weeks ago you were using a service account that was configured that way and now you aren't.

But if, as Ben points out, your Kerberos client code is some other Kerberos implementation then none of this may be relevant.



More information about the Kerberos mailing list