Query regarding S4U2Self protocol extension

Vipul Mehta vipulmehta.1989 at gmail.com
Thu Jul 29 04:50:46 EDT 2021

Thank you.
This was a useful discussion for me.

On Wed, Jul 28, 2021 at 4:36 PM Isaac Boukris <iboukris at gmail.com> wrote:

> On Wed, Jul 28, 2021 at 1:46 PM Vipul Mehta <vipulmehta.1989 at gmail.com>
> wrote:
> >
> > Now we know that behavior is unified and S4U2Self ticket should be
> forwardable to avoid vulnerability, i think we can add a check in MIT
> Kerberos API itself such that before sending S4U2Proxy TGS-REQ to KDC, if
> ticket is not forwardable it will fail in client itself.
> >
> > I can see that JDK has this check:
> >
> https://github.com/openjdk/jdk/blob/739769c8fc4b496f08a92225a12d07414537b6c0/src/java.security.jgss/share/classes/sun/security/krb5/internal/CredentialsUtil.java
> -> line 105
> MIT used to have that as well before RBCD was added, although I don't
> think this was ever necessary, as that check should be done in the
> KDC. Also disabling NonForwardableDelegation can be a valid usage when
> relying on SIDs and not using protected-group, as in the original RBCD
> design:
> https://github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/security/kerberos/kerberos-constrained-delegation-overview.md


More information about the Kerberos mailing list