Query regarding S4U2Self protocol extension
vipulmehta.1989 at gmail.com
Fri Jul 23 16:38:21 EDT 2021
To perform constrained delegation from Service A to Service B, forwardable
flag must be set in the S4U2Self service ticket returned by KDC to Service
I did some testing with Windows KDC and it will set forwardable flag in
S4U2Self service ticket in either of the following cases:
1) TrustedToAuthForDelegation is set to true in Service A account.
2) Service A TGT used in S4U2Self has forwardable flag set and
msDS-AllowedToDelegateTo list is empty on Service A account.
I am not able to understand why msDS-AllowedToDelegateTo needs to be empty
in the 2nd case.
Is the behavior of MIT KDC the same as Windows KDC ?
In my test, I have configured resource based constrained delegation in
Service B (principalsAllowedToDelegateTo).
More information about the Kerberos