Query regarding S4U2Self protocol extension

Vipul Mehta vipulmehta.1989 at gmail.com
Wed Jul 28 06:46:04 EDT 2021


Now we know that behavior is unified and S4U2Self ticket should be
forwardable to avoid vulnerability, i think we can add a check in MIT
Kerberos API itself such that before sending S4U2Proxy TGS-REQ to KDC, if
ticket is not forwardable it will fail in client itself.

I can see that JDK has this check:
https://github.com/openjdk/jdk/blob/739769c8fc4b496f08a92225a12d07414537b6c0/src/java.security.jgss/share/classes/sun/security/krb5/internal/CredentialsUtil.java
-> line 105


On Wed, Jul 28, 2021 at 2:08 PM Isaac Boukris <iboukris at gmail.com> wrote:

> On Wed, Jul 28, 2021 at 11:10 AM Vipul Mehta <vipulmehta.1989 at gmail.com>
> wrote:
> >
> > I have windows server 2012 R2 with all the security updates installed
> and did some tests:
> >
> > Resource Based Constrained Delegation configured for Service A in
> Service B account.
> >
> > Case 1) Service A :  trustedToAuthForDelegation = false and non-empty
> msds-AllowedToDelegateTo -> S42U2Self ticket didn't have a forwardable flag
> and subsequent S4U2Proxy failed.
>
> That's expected because the default of 'NonForwardableDelegation' is
> enabled I think, so RBCD requires forwardable flag now, if you set
> NonForwardableDelegation to disabled (that is to 1 ..), then RBCD
> S4U2Proxy will continue to work as before the update.
>


-- 
Regards,
Vipul


More information about the Kerberos mailing list