Query regarding S4U2Self protocol extension

Vipul Mehta vipulmehta.1989 at gmail.com
Fri Jul 23 16:38:21 EDT 2021


To perform constrained delegation from Service A to Service B,  forwardable
flag must be set in the S4U2Self service ticket returned by KDC to Service

I did some testing with Windows KDC and it will set forwardable flag in
S4U2Self service ticket in either of the following cases:

1) TrustedToAuthForDelegation is set to true in Service A account.

2) Service A TGT used in S4U2Self has forwardable flag set and
msDS-AllowedToDelegateTo list is empty on Service A account.
I am not able to understand why msDS-AllowedToDelegateTo needs to be empty
in the 2nd case.

Is the behavior of MIT KDC the same as Windows KDC ?
In my test, I have configured resource based constrained delegation in
Service B (principalsAllowedToDelegateTo).


More information about the Kerberos mailing list