Hi, I have one more query on this based on following statement in microsoft document:
"If a non forwardable S4U2self-generated user's service ticket for a nonsensitive user is used, then the SFU client SHOULD<11> locate a DS_BEHAVIOR_WIN2012 DC ([MS-KILE] section 3.2.5.3) to send the request." https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/ddb2cafd-1f01-4834-b52a-d4a5b34cd960 <https://urldefense.com/v3/__https:/docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/ddb2cafd-1f01-4834-b52a-d4a5b34cd960__;!!KpaPruflFCEp!xs7LC6xF-p5noCT18UnibXxKXcrNUf6GDk_BArh2V7T3TRWFgGLo5IL9RlB1cVwEOw$> Is this implemented in the MIT Kerberos client ? On Thu, Jul 29, 2021 at 2:20 PM Vipul Mehta <vipulmehta.1...@gmail.com> wrote: > Thank you. > This was a useful discussion for me. > > On Wed, Jul 28, 2021 at 4:36 PM Isaac Boukris <ibouk...@gmail.com> wrote: > >> On Wed, Jul 28, 2021 at 1:46 PM Vipul Mehta <vipulmehta.1...@gmail.com> >> wrote: >> > >> > Now we know that behavior is unified and S4U2Self ticket should be >> forwardable to avoid vulnerability, i think we can add a check in MIT >> Kerberos API itself such that before sending S4U2Proxy TGS-REQ to KDC, if >> ticket is not forwardable it will fail in client itself. >> > >> > I can see that JDK has this check: >> > >> https://github.com/openjdk/jdk/blob/739769c8fc4b496f08a92225a12d07414537b6c0/src/java.security.jgss/share/classes/sun/security/krb5/internal/CredentialsUtil.java >> -> line 105 >> >> MIT used to have that as well before RBCD was added, although I don't >> think this was ever necessary, as that check should be done in the >> KDC. Also disabling NonForwardableDelegation can be a valid usage when >> relying on SIDs and not using protected-group, as in the original RBCD >> design: >> >> >> https://github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/security/kerberos/kerberos-constrained-delegation-overview.md >> > > > -- > Regards, > Vipul > -- Regards, Vipul ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos