On 7/23/21 4:38 PM, Vipul Mehta wrote: > I did some testing with Windows KDC and it will set forwardable flag in > S4U2Self service ticket in either of the following cases: > > 1) TrustedToAuthForDelegation is set to true in Service A account. > > 2) Service A TGT used in S4U2Self has forwardable flag set and > msDS-AllowedToDelegateTo list is empty on Service A account. > I am not able to understand why msDS-AllowedToDelegateTo needs to be empty > in the 2nd case. > > Is the behavior of MIT KDC the same as Windows KDC ?
We have an analog of the TrustedToAuthForDelegation flag, called ok_to_auth_as_delegate. We don't check for an empty allowed-to-delegate-to list. > Service ticket used in S4U2Proxy need not be forwardable if resource > based constrained delegation is used i.e. > principalsAllowedToDelegateTo option is > configured on Service B. Note that, as of 2019, the forwardable flag must be set on the evidence ticket if the delegation is authorized in both directions (on the intermediate service and the target service). We implemented this counterintuitive behavior in the MIT KDC for consistency. There is some reason to think this might be changing. This article (noted by Isaac): https://support.microsoft.com/en-us/topic/managing-deployment-of-rbcd-protected-user-changes-for-cve-2020-16996-9a59a49f-20b9-a292-f205-da9da0ff24d3 talks about a protection measure that "unifies the logic for Resource-Based Constrained Delegation (RBCD) with the original constrained delegation." We have asked Microsoft for clarification. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos