[krbdev.mit.edu #8777] S4U2Self with X.509 certificate bugs
Greg Hudson via RT
rt-comment at KRBDEV-PROD-APP-1.mit.edu
Mon Jan 28 15:21:22 EST 2019
One more issue I neglected to note:
* In the TGS part of a S4U2Self request, when multiple TGS requests are
required due to cross-realm, to be consistent with Windows clients,
only the first request should present the certificate; later requests
should present the client principal obtained from the PA-FOR-X509-USER
padata in the first TGS response.
I will also note here that, per Isaac's investigation, the Windows LSA
API will extract a UPN SAN from the client certificate and use that
enterprise principal in preference to the certificate. To do the same
we would need certificate-parsing code or an OpenSSL dependency in the
S4U2Self code.
More information about the krb5-bugs
mailing list