Constrained Delegation error "KDC policy rejects request"
John Byrne
jhnbyrn at gmail.com
Wed Feb 6 15:49:39 EST 2019
Hi,
I've set up a KDC using LDAP as the backend (krb5 1.15.1 on CentOS 7), and
I'm trying to perform constrained delegation. However, I'm getting this
error from the KDC when the intermediate service calls the step() function
on the security context: "KDC policy rejects request"
Here's the KDC log:
Feb 06 15:39:35 localhost.localdomain krb5kdc[13310](info): TGS_REQ (8
etypes {18 17 20 19 16 23 25 26}) 192.168.0.22: NOT_ALLOWED_TO_DELEGATE:
authtime 0, HTTP/www.example.com at EXAMPLE.COM for HTTP/
datastore.example.com at EXAMPLE.COM, KDC policy rejects request
I've set the "ok_to_auth_as_delegate" flag on the intermediate service
principal HTTP/www.example.com, using kadmin.local (output of getprinc
below).
Is there something else I need to do to allow this?
Thanks,
John
PS. here's the output of kadmin.local getprinc command for the intermediate
service principal:
kadmin.local: getprinc HTTP/www.example.com
Principal: HTTP/www.example.com at EXAMPLE.COM
Expiration date: [never]
Last password change: Wed Feb 06 14:58:41 EST 2019
Password expiration date: [never]
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 0 days 00:00:00
Last modified: Wed Feb 06 15:19:15 EST 2019 (root/admin at EXAMPLE.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 2
Key: vno 2, aes256-cts-hmac-sha1-96
Key: vno 2, aes128-cts-hmac-sha1-96
MKey: vno 1
Attributes: OK_TO_AUTH_AS_DELEGATE
More information about the Kerberos
mailing list