Query regarding S4U2Self protocol extension

Vipul Mehta vipulmehta.1989 at gmail.com
Wed Jul 28 04:09:52 EDT 2021

I have windows server 2012 R2 with all the security updates installed and
did some tests:

Resource Based Constrained Delegation configured for Service A in Service B

Case 1) Service A :  trustedToAuthForDelegation = false and non-empty
msds-AllowedToDelegateTo -> S42U2Self ticket didn't have a forwardable flag
and subsequent S4U2Proxy failed.

Case 2) Service A :  trustedToAuthForDelegation = false and empty
msds-AllowedToDelegateTo -> S42U2Self ticket was forwardable and subsequent
S4U2Proxy passed.

Because ticket signature check has been enabled in KDC in the security
update, now I cannot change the forwardable flag from false to true in
S42U2Self ticket in case 1).

On Tue, Jul 27, 2021 at 9:58 PM Isaac Boukris <iboukris at gmail.com> wrote:

> On Tue, Jul 27, 2021 at 6:54 PM Vipul Mehta <vipulmehta.1989 at gmail.com>
> wrote:
> >
> > Need a clarification:
> > MIT KDC will set the forwardable flag in S4U2Self ticket in following
> cases
> > (provided account is not sensitive and not part of secure group):
> > 1) ok_to_auth_as_delegate is true
> > or
> > 2) ok_to_auth_as_delegate is false and Service TGT has forwardable flag
> set
> In case of 2) we'll also check that
> 'ServicesAllowedToSendForwardedTicketsTo' is empty like in the doc, I
> was just suggesting implementation wise that we do it in the plugin
> instead of the kdc itself, that is when the principal is retrieved the
> plugin will add 'ok_to_auth_as_delegate' if the
> 'ServicesAllowedToSendForwardedTicketsTo' is empty.


More information about the Kerberos mailing list