On Mon, Jul 26, 2021 at 10:17 PM Greg Hudson <ghud...@mit.edu> wrote: > > On 7/23/21 4:38 PM, Vipul Mehta wrote: > > I did some testing with Windows KDC and it will set forwardable flag in > > S4U2Self service ticket in either of the following cases: > > > > 1) TrustedToAuthForDelegation is set to true in Service A account. > > > > 2) Service A TGT used in S4U2Self has forwardable flag set and > > msDS-AllowedToDelegateTo list is empty on Service A account. > > I am not able to understand why msDS-AllowedToDelegateTo needs to be empty > > in the 2nd case. > > > > Is the behavior of MIT KDC the same as Windows KDC ? > > We have an analog of the TrustedToAuthForDelegation flag, called > ok_to_auth_as_delegate. We don't check for an empty > allowed-to-delegate-to list. ... > https://support.microsoft.com/en-us/topic/managing-deployment-of-rbcd-protected-user-changes-for-cve-2020-16996-9a59a49f-20b9-a292-f205-da9da0ff24d3
Now that I read this again, and read again the "Additional considerations" section in that link, I think what might happened with this change is that now RBCD requires the forwardable flag but any service with an empty msDS-AllowedToDelegateTo to list, as Vipul remarked, gets treated as TrustedToAuthForDelegation and gets the flag (presumably, unless the client is in the protected-users group or has the not-delegated flag). I'll run some tests and check it with dochelp. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos