Query regarding S4U2Self protocol extension

Vipul Mehta vipulmehta.1989 at gmail.com
Fri Jul 23 18:22:56 EDT 2021

Did some more digging and found out following:
Service ticket used in S4U2Proxy need not be forwardable if resource based
constrained delegation is used i.e. principalsAllowedToDelegateTo option is
configured on Service B.

This is proved here:

On Sat, Jul 24, 2021 at 2:08 AM Vipul Mehta <vipulmehta.1989 at gmail.com>

> Hi,
> To perform constrained delegation from Service A to Service B,
> forwardable flag must be set in the S4U2Self service ticket returned by KDC
> to Service A.
> I did some testing with Windows KDC and it will set forwardable flag in
> S4U2Self service ticket in either of the following cases:
> 1) TrustedToAuthForDelegation is set to true in Service A account.
> 2) Service A TGT used in S4U2Self has forwardable flag set and
> msDS-AllowedToDelegateTo list is empty on Service A account.
> I am not able to understand why msDS-AllowedToDelegateTo needs to be empty
> in the 2nd case.
> Is the behavior of MIT KDC the same as Windows KDC ?
> In my test, I have configured resource based constrained delegation in
> Service B (principalsAllowedToDelegateTo).
> --
> Regards,
> Vipul


More information about the Kerberos mailing list