Query regarding S4U2Self protocol extension

Greg Hudson ghudson at mit.edu
Mon Jul 26 15:14:08 EDT 2021

On 7/23/21 4:38 PM, Vipul Mehta wrote:
> I did some testing with Windows KDC and it will set forwardable flag in
> S4U2Self service ticket in either of the following cases:
> 1) TrustedToAuthForDelegation is set to true in Service A account.
> 2) Service A TGT used in S4U2Self has forwardable flag set and
> msDS-AllowedToDelegateTo list is empty on Service A account.
> I am not able to understand why msDS-AllowedToDelegateTo needs to be empty
> in the 2nd case.
> Is the behavior of MIT KDC the same as Windows KDC ?

We have an analog of the TrustedToAuthForDelegation flag, called
ok_to_auth_as_delegate.  We don't check for an empty
allowed-to-delegate-to list.

> Service ticket used in S4U2Proxy need not be forwardable if resource
> based constrained delegation is used i.e.
> principalsAllowedToDelegateTo option is
> configured on Service B.

Note that, as of 2019, the forwardable flag must be set on the evidence
ticket if the delegation is authorized in both directions (on the
intermediate service and the target service).  We implemented this
counterintuitive behavior in the MIT KDC for consistency.

There is some reason to think this might be changing.  This article
(noted by Isaac):


talks about a protection measure that "unifies the logic for
Resource-Based Constrained Delegation (RBCD) with the original
constrained delegation."  We have asked Microsoft for clarification.

More information about the Kerberos mailing list