>On 9/30/22 16:06, Machin, Glenn Douglas via Kerberos wrote: >> Can someone tell me if a TGT containing an authentication indicator will >> work over to a service principal in another realm which has a cross realm >> trust relationship? > >Authentication indicators are currently only accepted within the same >realm; cross-realm service ticket requests do not preserve the >indicators from the cross-realm TGT.
Hm, should they be preserved? We are in the unusual situation of (a) relying on ticket flags to indicate the use of hardware preauth and (b) we do a lot of cross-realm. So we depend on the client realm asserting the hw-auth ticket flag and make authorization decisions based on that (obviously, we trust those realms to only assert hw-auth flag when appropriate). AND my eventual plan was to transition to authentication indicators instead of the hw-auth ticket flag. RFC 8129 acknowledges the existence of cross-realm authentication and vaguely implies they will be preserved, specifically here: Application service evaluation of site-defined indicators MUST consider the realm of original authentication in order to avoid cross-realm indicator collisions. Failure to enforce this property can result in invalid authorization decisions. So is this just an implementation detail? Is there something more that I am missing? (Entirely possible!). If it's just an implementation detail, what would the parameters of an acceptable patch look like? E.g., would the default be to not accept any authentication indicators when doing cross realm, and you have to explicitly list realms you accept authentication indicators from? Or something else? --Ken ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
