Did some more digging and found out following: Service ticket used in S4U2Proxy need not be forwardable if resource based constrained delegation is used i.e. principalsAllowedToDelegateTo option is configured on Service B.
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/dd1b47f9-580c-4c4e-8f34-4485b9728331 This is proved here: https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html#serendipity On Sat, Jul 24, 2021 at 2:08 AM Vipul Mehta <vipulmehta.1...@gmail.com> wrote: > Hi, > > To perform constrained delegation from Service A to Service B, > forwardable flag must be set in the S4U2Self service ticket returned by KDC > to Service A. > > I did some testing with Windows KDC and it will set forwardable flag in > S4U2Self service ticket in either of the following cases: > > 1) TrustedToAuthForDelegation is set to true in Service A account. > > 2) Service A TGT used in S4U2Self has forwardable flag set and > msDS-AllowedToDelegateTo list is empty on Service A account. > I am not able to understand why msDS-AllowedToDelegateTo needs to be empty > in the 2nd case. > > Is the behavior of MIT KDC the same as Windows KDC ? > In my test, I have configured resource based constrained delegation in > Service B (principalsAllowedToDelegateTo). > > -- > Regards, > Vipul > -- Regards, Vipul ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
