OK-AS-DELEGATE FLAG setting.

JC Ferguson jc at F5.com
Wed May 7 12:37:19 EDT 2008 

FWIW: microsoft sets this when a principal is "trusted for delegation"
in Active Directory.  When a microsoft client is connecting to a
CIFS-based service and the OK_AS_DELEGATE flag is set, the microsoft
client fetches a forwardable TGT and wraps that up in the authentication
material along with the service ticket. 


> -----Original Message-----
> From: krbdev-bounces at mit.edu [mailto:krbdev-bounces at mit.edu] 
> On Behalf Of Douglas E. Engert
> Sent: Wednesday, May 07, 2008 12:22
> To: Ken Raeburn
> Cc: krbdev at mit.edu
> Subject: Re: OK-AS-DELEGATE FLAG setting.
> 
> 
> 
> Ken Raeburn wrote:
> > On May 7, 2008, at 02:27, josephharfouch at iinet.net.au wrote:
> >> Does the MIT kerberos source code set the OK-AS-DELEGATE flag 
> >> (TKT_FLG_OK_AS_DELEGATE), and if yes, then under what 
> circumstances?
> > 
> > No.  Our code will display the flag in "klist" output, but has no 
> > support for setting it at present.
> > 
> >> I am conducting a cross platform test where the gss client 
> and server 
> >> are using the z/OS Kerberos implementation, but the KDC is 
> using the 
> >> MIT implementation. The test case fails, unless I tell the z/OS 
> >> kerberos implementation code to ignore the delegate check 
> test. (We 
> >> have a check_delegate flag that is turned on by default, 
> but we can 
> >> turn it off in krb5.conf), so I am wondering if turning 
> off the check 
> >> is the best way to proceed.
> > 
> > It certainly sounds like the easiest way to proceed.  Modifying the 
> > MIT code to set the flag (perhaps controlled by policies, 
> perhaps only 
> > by per-principal flags? needs some thought) would be more work, but 
> > would let you retain the check.
> > 
> 
> If I recall, there was a request from one of the other Labs 
> to have MIT clients check for the flag being set, much like a 
>  Windows SSPI client does before delegating. So it might be a 
> good feature to allow
> the KDC set the flag based on per-server flags.   As it allows a
> client to authenticate to a semi-trusted server, but not 
> delegate to it. Gives the realm admin some control over what 
> machines are trusted with delegated credentials.
> 
> FireFox or other browsers using SPNEGO may also check the 
> flag, they probably don't today but they may in the future.
> 
> On Windows the ksetup /setRealmFlags Delegate can override 
> the test for non-Windows realms.
> 
> 
> 
> > Ken
> > _______________________________________________
> > krbdev mailing list             krbdev at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/krbdev
> > 
> > 
> 
> -- 
> 
>   Douglas E. Engert  <DEEngert at anl.gov>
>   Argonne National Laboratory
>   9700 South Cass Avenue
>   Argonne, Illinois  60439
>   (630) 252-5444
> _______________________________________________
> krbdev mailing list             krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
>

More information about the krbdev mailing list