AD-SIGNEDPATH and cross-realm
Love Hörnquist Åstrand
lha at kth.se
Thu Feb 4 13:45:48 EST 2010
4 feb 2010 kl. 10:40 skrev Sam Hartman:
>>>>>> "ghudson" == ghudson <ghudson at MIT.EDU> writes:
> ghudson> * If AD-SIGNEDPATH is present in the ticket and checksum
> ghudson> verification fails, we reject the TGS request even if we
> ghudson> would have accepted the ticket without AD-SIGNEDPATH at all
> ghudson> (i.e. it's not an S4U2Proxy request). I'm pretty sure we
> ghudson> want to be more like Heimdal, and merely disallow the
> ghudson> ticket as an S4U2Proxy subject ticket if verification
> ghudson> fails. I am likely to make this change.
> I think this is a really good change
This is a good change, it make stuff break less in case of failure.
Also, cross realm can also work by instead of using a master key, you can use the cross realm key, the problem is if the recving kdc really want to extend the trust that the signedpath provides to the source realm.
More information about the krbdev