On Wed, Jul 28, 2021 at 11:10 AM Vipul Mehta wrote:
>
> I have windows server 2012 R2 with all the security updates installed and did
> some tests:
>
> Resource Based Constrained Delegation configured for Service A in Service B
> account.
>
> Case 1) Service A : trustedToAuthForDelegation = fal
On Wed, Jul 28, 2021 at 1:46 PM Vipul Mehta wrote:
>
> Now we know that behavior is unified and S4U2Self ticket should be
> forwardable to avoid vulnerability, i think we can add a check in MIT
> Kerberos API itself such that before sending S4U2Proxy TGS-REQ to KDC, if
> ticket is not forwardab
Now we know that behavior is unified and S4U2Self ticket should be
forwardable to avoid vulnerability, i think we can add a check in MIT
Kerberos API itself such that before sending S4U2Proxy TGS-REQ to KDC, if
ticket is not forwardable it will fail in client itself.
I can see that JDK has this ch
I have windows server 2012 R2 with all the security updates installed and
did some tests:
Resource Based Constrained Delegation configured for Service A in Service B
account.
Case 1) Service A : trustedToAuthForDelegation = false and non-empty
msds-AllowedToDelegateTo -> S42U2Self ticket didn't
