Now we know that behavior is unified and S4U2Self ticket should be forwardable to avoid vulnerability, i think we can add a check in MIT Kerberos API itself such that before sending S4U2Proxy TGS-REQ to KDC, if ticket is not forwardable it will fail in client itself.
I can see that JDK has this check: https://github.com/openjdk/jdk/blob/739769c8fc4b496f08a92225a12d07414537b6c0/src/java.security.jgss/share/classes/sun/security/krb5/internal/CredentialsUtil.java -> line 105 On Wed, Jul 28, 2021 at 2:08 PM Isaac Boukris <ibouk...@gmail.com> wrote: > On Wed, Jul 28, 2021 at 11:10 AM Vipul Mehta <vipulmehta.1...@gmail.com> > wrote: > > > > I have windows server 2012 R2 with all the security updates installed > and did some tests: > > > > Resource Based Constrained Delegation configured for Service A in > Service B account. > > > > Case 1) Service A : trustedToAuthForDelegation = false and non-empty > msds-AllowedToDelegateTo -> S42U2Self ticket didn't have a forwardable flag > and subsequent S4U2Proxy failed. > > That's expected because the default of 'NonForwardableDelegation' is > enabled I think, so RBCD requires forwardable flag now, if you set > NonForwardableDelegation to disabled (that is to 1 ..), then RBCD > S4U2Proxy will continue to work as before the update. > -- Regards, Vipul ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
