cross-realm Kerberos constrained delegation [S4U2Self]
Rajesh Kumar Raju
rajeshkr at pulsesecure.net
Tue Sep 26 05:25:15 EDT 2017
Dear all ,
Thanks for developing such a wonderful stack .
I got a document MS-SFU.pdf . Below is the content of Page 28 of MS-SFU.pdf .
Below is the step to create S4U2Self :
step1 : The service sends a request to its TGS , TGS-A , for a TGT to TGS B . No S4U2Self Information is included in this request.
step 2: TGS A responds with the cross-realm TGT to TGS-B . if the TGS-B was not the user's realm but was instead just a realm closer , then the service would send a KRB_TGS_REQ message to TGS-B to get a TGT to the next realm .
Note : TGS-A and TGS-B are Ticket Granting server from two different domain.
I am trying to understand step1 and step2 mentioned above . How can I get TGT for TGS B . Generally TGT is for the user .
Thanks in advance
More information about the krbdev