Query regarding S4U2Self protocol extension

Isaac Boukris iboukris at gmail.com
Tue Jul 27 12:28:19 EDT 2021

On Tue, Jul 27, 2021 at 6:54 PM Vipul Mehta <vipulmehta.1989 at gmail.com> wrote:
> Need a clarification:
> MIT KDC will set the forwardable flag in S4U2Self ticket in following cases
> (provided account is not sensitive and not part of secure group):
> 1) ok_to_auth_as_delegate is true
> or
> 2) ok_to_auth_as_delegate is false and Service TGT has forwardable flag set

In case of 2) we'll also check that
'ServicesAllowedToSendForwardedTicketsTo' is empty like in the doc, I
was just suggesting implementation wise that we do it in the plugin
instead of the kdc itself, that is when the principal is retrieved the
plugin will add 'ok_to_auth_as_delegate' if the
'ServicesAllowedToSendForwardedTicketsTo' is empty.

More information about the Kerberos mailing list