Query regarding S4U2Self protocol extension
Vipul Mehta
vipulmehta.1989 at gmail.com
Fri Jul 23 18:22:56 EDT 2021
Did some more digging and found out following:
Service ticket used in S4U2Proxy need not be forwardable if resource based
constrained delegation is used i.e. principalsAllowedToDelegateTo option is
configured on Service B.
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/dd1b47f9-580c-4c4e-8f34-4485b9728331
This is proved here:
https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html#serendipity
On Sat, Jul 24, 2021 at 2:08 AM Vipul Mehta <vipulmehta.1989 at gmail.com>
wrote:
> Hi,
>
> To perform constrained delegation from Service A to Service B,
> forwardable flag must be set in the S4U2Self service ticket returned by KDC
> to Service A.
>
> I did some testing with Windows KDC and it will set forwardable flag in
> S4U2Self service ticket in either of the following cases:
>
> 1) TrustedToAuthForDelegation is set to true in Service A account.
>
> 2) Service A TGT used in S4U2Self has forwardable flag set and
> msDS-AllowedToDelegateTo list is empty on Service A account.
> I am not able to understand why msDS-AllowedToDelegateTo needs to be empty
> in the 2nd case.
>
> Is the behavior of MIT KDC the same as Windows KDC ?
> In my test, I have configured resource based constrained delegation in
> Service B (principalsAllowedToDelegateTo).
>
> --
> Regards,
> Vipul
>
--
Regards,
Vipul
More information about the Kerberos
mailing list