Query regarding S4U2Self protocol extension

Vipul Mehta vipulmehta.1989 at gmail.com
Tue Jul 27 02:39:47 EDT 2021

Need a clarification:
MIT KDC will set the forwardable flag in S4U2Self ticket in following cases
(provided account is not sensitive and not part of secure group):
1) ok_to_auth_as_delegate is true
2) ok_to_auth_as_delegate is false and Service TGT has forwardable flag set

Am I correct here ?

One more thing:
If msDS-AllowedToDelegateTo is non-empty and TrustedToAuthForDelegation is
false then the forwardable flag must be set to false. Isn't this behavior
different between MIT KDC and Windows KDC as MIT KDC does not check
msDS-AllowedToDelegateTo list.

Just copy pasting microsoft doc statement:
"If the TrustedToAuthenticationForDelegation parameter on the Service 1
principal is set to:
TRUE: the KDC MUST set the FORWARDABLE ticket flag ([RFC4120] section 2.6)
in the S4U2self service ticket.
FALSE and ServicesAllowedToSendForwardedTicketsTo is nonempty: the KDC MUST
NOT set the FORWARDABLE ticket flag ([RFC4120] section 2.6) in the S4U2self
service ticket.<18>
If the DelegationNotAllowed parameter on the principal is set, then the KDC
SHOULD NOT set the FORWARDABLE ticket flag ([RFC4120], section 2.6) in the
S4U2self service ticket.<19>"

On Tue, Jul 27, 2021 at 12:44 AM Greg Hudson <ghudson at mit.edu> wrote:

> On 7/23/21 4:38 PM, Vipul Mehta wrote:
> > I did some testing with Windows KDC and it will set forwardable flag in
> > S4U2Self service ticket in either of the following cases:
> >
> > 1) TrustedToAuthForDelegation is set to true in Service A account.
> >
> > 2) Service A TGT used in S4U2Self has forwardable flag set and
> > msDS-AllowedToDelegateTo list is empty on Service A account.
> > I am not able to understand why msDS-AllowedToDelegateTo needs to be
> empty
> > in the 2nd case.
> >
> > Is the behavior of MIT KDC the same as Windows KDC ?
> We have an analog of the TrustedToAuthForDelegation flag, called
> ok_to_auth_as_delegate.  We don't check for an empty
> allowed-to-delegate-to list.
> > Service ticket used in S4U2Proxy need not be forwardable if resource
> > based constrained delegation is used i.e.
> > principalsAllowedToDelegateTo option is
> > configured on Service B.
> Note that, as of 2019, the forwardable flag must be set on the evidence
> ticket if the delegation is authorized in both directions (on the
> intermediate service and the target service).  We implemented this
> counterintuitive behavior in the MIT KDC for consistency.
> There is some reason to think this might be changing.  This article
> (noted by Isaac):
> https://support.microsoft.com/en-us/topic/managing-deployment-of-rbcd-protected-user-changes-for-cve-2020-16996-9a59a49f-20b9-a292-f205-da9da0ff24d3
> talks about a protection measure that "unifies the logic for
> Resource-Based Constrained Delegation (RBCD) with the original
> constrained delegation."  We have asked Microsoft for clarification.


More information about the Kerberos mailing list