Query regarding S4U2Self protocol extension

Isaac Boukris iboukris at gmail.com
Wed Jul 28 04:37:58 EDT 2021

On Wed, Jul 28, 2021 at 11:10 AM Vipul Mehta <vipulmehta.1989 at gmail.com> wrote:
> I have windows server 2012 R2 with all the security updates installed and did some tests:
> Resource Based Constrained Delegation configured for Service A in Service B account.
> Case 1) Service A :  trustedToAuthForDelegation = false and non-empty msds-AllowedToDelegateTo -> S42U2Self ticket didn't have a forwardable flag and subsequent S4U2Proxy failed.

That's expected because the default of 'NonForwardableDelegation' is
enabled I think, so RBCD requires forwardable flag now, if you set
NonForwardableDelegation to disabled (that is to 1 ..), then RBCD
S4U2Proxy will continue to work as before the update.

More information about the Kerberos mailing list