I have windows server 2012 R2 with all the security updates installed and did some tests:
Resource Based Constrained Delegation configured for Service A in Service B account. Case 1) Service A : trustedToAuthForDelegation = false and non-empty msds-AllowedToDelegateTo -> S42U2Self ticket didn't have a forwardable flag and subsequent S4U2Proxy failed. Case 2) Service A : trustedToAuthForDelegation = false and empty msds-AllowedToDelegateTo -> S42U2Self ticket was forwardable and subsequent S4U2Proxy passed. Because ticket signature check has been enabled in KDC in the security update, now I cannot change the forwardable flag from false to true in S42U2Self ticket in case 1). On Tue, Jul 27, 2021 at 9:58 PM Isaac Boukris <ibouk...@gmail.com> wrote: > On Tue, Jul 27, 2021 at 6:54 PM Vipul Mehta <vipulmehta.1...@gmail.com> > wrote: > > > > Need a clarification: > > MIT KDC will set the forwardable flag in S4U2Self ticket in following > cases > > (provided account is not sensitive and not part of secure group): > > 1) ok_to_auth_as_delegate is true > > or > > 2) ok_to_auth_as_delegate is false and Service TGT has forwardable flag > set > > In case of 2) we'll also check that > 'ServicesAllowedToSendForwardedTicketsTo' is empty like in the doc, I > was just suggesting implementation wise that we do it in the plugin > instead of the kdc itself, that is when the principal is retrieved the > plugin will add 'ok_to_auth_as_delegate' if the > 'ServicesAllowedToSendForwardedTicketsTo' is empty. > -- Regards, Vipul ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
