Enabling Unconstrained delegation on AD<->MIT Trust

Benoit PLESSIS benoit.plessis at powerboutique.com
Tue Sep 3 11:15:04 EDT 2019


Hi,

We are using for some times now an AD KDC/MIT KDC trust, for some
political reason we are migrating the users for the MIT KDC to the AD.

Tests made in the beginning of the years were going almost "flawlessly"
(well as much as it is possible when trying to configure microsoft
software for interoperability).

The MIT KDC is configured by a GPO, using the Delegate (0x4) flags, and
the correct dns mappings. Basic things still work as of today except
credential delegation.

I suppose it's related to this:

   
https://support.microsoft.com/en-us/help/4490425/updates-to-tgt-delegation-across-incoming-trusts-in-windows-server

But while there is way to re-enable the previous way for cross-forest
trust, the netdom commands aren't compatible with kerberosV5 interop,
and ksetup doesn't list any new flags that could correspond.

I tried adding the ok_as_delegate and ok_to_auth_as_delegate flags to
the mit principals but to no avail....


Anyone know if it is possible the re-enable unconstrained delegation for
Krbv5 in windows ?

I'm looking to ways to configure "contrained delegation" on the MIT KDC
but it's a very old setup using the db2 database, i can't seem to find a
guide for migrating to the ldap storage ?


MS AD is running Windows server 2012


-- 
Benoit




More information about the Kerberos mailing list