Query regarding S4U2Self protocol extension

Vipul Mehta vipulmehta.1989 at gmail.com
Tue Aug 24 23:12:03 EDT 2021


Hi,

I have one more query on this based on following statement in microsoft
document:

"If a non forwardable S4U2self-generated user's service ticket for a
nonsensitive user is used, then the SFU client SHOULD<11> locate a
DS_BEHAVIOR_WIN2012 DC ([MS-KILE] section 3.2.5.3) to send the request."

https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/ddb2cafd-1f01-4834-b52a-d4a5b34cd960
<https://urldefense.com/v3/__https:/docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/ddb2cafd-1f01-4834-b52a-d4a5b34cd960__;!!KpaPruflFCEp!xs7LC6xF-p5noCT18UnibXxKXcrNUf6GDk_BArh2V7T3TRWFgGLo5IL9RlB1cVwEOw$>

Is this implemented in the MIT Kerberos client ?


On Thu, Jul 29, 2021 at 2:20 PM Vipul Mehta <vipulmehta.1989 at gmail.com>
wrote:

> Thank you.
> This was a useful discussion for me.
>
> On Wed, Jul 28, 2021 at 4:36 PM Isaac Boukris <iboukris at gmail.com> wrote:
>
>> On Wed, Jul 28, 2021 at 1:46 PM Vipul Mehta <vipulmehta.1989 at gmail.com>
>> wrote:
>> >
>> > Now we know that behavior is unified and S4U2Self ticket should be
>> forwardable to avoid vulnerability, i think we can add a check in MIT
>> Kerberos API itself such that before sending S4U2Proxy TGS-REQ to KDC, if
>> ticket is not forwardable it will fail in client itself.
>> >
>> > I can see that JDK has this check:
>> >
>> https://github.com/openjdk/jdk/blob/739769c8fc4b496f08a92225a12d07414537b6c0/src/java.security.jgss/share/classes/sun/security/krb5/internal/CredentialsUtil.java
>> -> line 105
>>
>> MIT used to have that as well before RBCD was added, although I don't
>> think this was ever necessary, as that check should be done in the
>> KDC. Also disabling NonForwardableDelegation can be a valid usage when
>> relying on SIDs and not using protected-group, as in the original RBCD
>> design:
>>
>>
>> https://github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/security/kerberos/kerberos-constrained-delegation-overview.md
>>
>
>
> --
> Regards,
> Vipul
>


-- 
Regards,
Vipul


More information about the Kerberos mailing list