Constraint delegation support ( Microsoft extensions )
Luke Howard
lukeh at padl.com
Tue Jan 6 00:23:42 EST 2009
On 06/01/2009, at 3:49 PM, JC Ferguson wrote:
>
> Are there any technical/design documents describing what has been
> done to-date?
There is some background at:
http://msdn.microsoft.com/en-us/magazine/cc188757.aspx
It was implemented some years ago from the above article, although
Microsoft have recently published more detailed protocol documentation
in [MS-SFU].
A quick summary is: an intermediary service does a TGS-REQ to the
target service, presenting the client's ticket to itself in the
additional tickets field and setting KDC_OPT_CNAME_IN_ADDL_TKT. The
client ticket must be forwardable and the target service must be
listed in the "allowed to delegate to" property of the intermediary
service (this is exposed via KRB5_TL_CONSTRAINED_DELEGATION_ACL).
The returned ticket identifies the client to the target service.
> Are there plans for the client library? Are there any technical
> documents for this available?
Client library would be good to have, but there are no plans I'm aware
of right now. Certainly, some thought would be necessary as to whether
the existing delegation abstractions in GSS-API could be used, and
what the API should look like at the krb5 layer.
-- Luke
More information about the krbdev
mailing list