[EXTERNAL] Re: Kerberos Constrained Delegation and Credential Caching

Nebergall, Christopher cneberg at sandia.gov
Thu Mar 14 13:12:34 EDT 2013

I used git-bisect to track down the first commit where t_s4u test program fails running against Windows 2008 R2 SP 1.   How do I disable fast support for testing?  Or I can help reduce the test case further if someone can tell me where to start.


09484d0e835928a48655c0650f7de97825607b2e is the first bad commit
commit 09484d0e835928a48655c0650f7de97825607b2e
Author: Sam Hartman <hartmans at mit.edu>
Date:   Wed Nov 23 01:04:38 2011 +0000


    Implement RFC 6113 FAST TGS support.

    Includes library support for a varient of explicit TGS armor  that has not yet been proposed within the IETF.

    ticket: 7026

    git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25488 dc483132-0cff-0310-8789-dd5450dbe970

:040000 040000 b66f21d675fdcbe7427ba0140d73185e7134a4e0 a59cdbe0e1c273bd63a68f8dfb1c8e21ceb31364 M      src

-----Original Message-----
From: Nebergall, Christopher 
Sent: Wednesday, March 13, 2013 9:34 AM
To: Nebergall, Christopher; Greg Hudson
Cc: kerberos at mit.edu
Subject: RE: [EXTERNAL] Re: Kerberos Constrained Delegation and Credential Caching

Do you have an idea why I can't get t_s4u test program in 1.11.1 running against Windows 2008 R2 SP 1?

Set up comments from t_s4u.c
 * Test program for protocol transition (S4U2Self) and constrained delegation
 * (S4U2Proxy)
 * Note: because of name canonicalization, the following tips may help
 * when configuring with Active Directory:
 * - Create a computer account FOO$
 * - Set the UPN to host/foo.domain (no suffix); this is necessary to
 *   be able to send an AS-REQ as this principal, otherwise you would
 *   need to use the canonical name (FOO$), which will cause principal
 *   comparison errors in gss_accept_sec_context().
 * - Add a SPN of host/foo.domain
 * - Configure the computer account to support constrained delegation with
 *   protocol transition (Trust this computer for delegation to specified
 *   services only / Use any authentication protocol)
 * - Add host/foo.domain to the keytab (possibly easiest to do this
 *   with ktadd)
 * For S4U2Proxy to work the TGT must be forwardable too.
 * Usage eg:
 * kinit -k -t test.keytab -f 'host/test.win.mit.edu at WIN.MIT.EDU'
 * ./t_s4u p:delegtest at WIN.MIT.EDU p:HOST/WIN-EQ7E4AA2WR8.win.mit.edu at WIN.MIT.EDU test.keytab  */

>>Set the UPN to host/foo.domain (no suffix);

I can't do this step, if I don't put @TOPHERVILLE.COM at the end of the UPN, then I can't do a kinit with the impersonator account.

-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf Of Nebergall, Christopher
Sent: Tuesday, March 12, 2013 3:04 PM
To: Greg Hudson
Cc: kerberos at mit.edu
Subject: RE: [EXTERNAL] Re: Kerberos Constrained Delegation and Credential Caching

Thank you I believe that will be very helpful but I'm unable to test because while I could get constrained delegation working with the t_s4u test program in 1.10.3 I can't get the test program to work with the same accounts in 1.11.1.    The test AD Server is windows 2008 R2 SP 1 in both cases.

./t_s4u p:testusr1 at TOPHERVILLE.COM p:host/testkcd2.topherville.com at TOPHERVILLE.COM /tmp/kcd_keytab_tv Protocol transition tests follow

gss_acquire_cred_impersonate_name: Unspecified GSS failure.  Minor code may provide more information
gss_acquire_cred_impersonate_name: KDC has no support for padata type

-----Original Message-----
From: Greg Hudson [mailto:ghudson at MIT.EDU]
Sent: Monday, March 11, 2013 10:44 PM
To: Nebergall, Christopher
Cc: kerberos at mit.edu
Subject: [EXTERNAL] Re: Kerberos Constrained Delegation and Credential Caching

On 03/11/2013 08:23 PM, Nebergall, Christopher wrote:
> Does anyone have any tips on copying the credentials created from Kerberos constrained delegation to a credentials cache file and back in again?

This is only possible with 1.11 or later.  We use the subject principal as the default ccache principal, and set a ccache config variable to remember the impersonating service principal.  More details at:


Kerberos mailing list           Kerberos at mit.edu

More information about the krbdev mailing list