Thanks.
This information will be provided to openjdk dev as they were asking about
MIT krb5 behavior -> https://bugs.openjdk.java.net/browse/JDK-8272162
On Wed, Aug 25, 2021 at 1:00 PM Isaac Boukris wrote:
> Hi Vipul,
>
> On Wed, Aug 25, 2021 at 6:12 AM Vipul Mehta
> wrote:
> >
> > I have one m
Hi Vipul,
On Wed, Aug 25, 2021 at 6:12 AM Vipul Mehta wrote:
>
> I have one more query on this based on following statement in microsoft
> document:
>
> "If a non forwardable S4U2self-generated user's service ticket for a
> nonsensitive user is used, then the SFU client SHOULD<11> locate a
> D
Hi,
I have one more query on this based on following statement in microsoft
document:
"If a non forwardable S4U2self-generated user's service ticket for a
nonsensitive user is used, then the SFU client SHOULD<11> locate a
DS_BEHAVIOR_WIN2012 DC ([MS-KILE] section 3.2.5.3) to send the request."
h
Thank you.
This was a useful discussion for me.
On Wed, Jul 28, 2021 at 4:36 PM Isaac Boukris wrote:
> On Wed, Jul 28, 2021 at 1:46 PM Vipul Mehta
> wrote:
> >
> > Now we know that behavior is unified and S4U2Self ticket should be
> forwardable to avoid vulnerability, i think we can add a check
I have windows server 2012 R2 with all the security updates installed and
did some tests:
Resource Based Constrained Delegation configured for Service A in Service B
account.
Case 1) Service A : trustedToAuthForDelegation = false and non-empty
msds-AllowedToDelegateTo -> S42U2Self ticket didn't
Now we know that behavior is unified and S4U2Self ticket should be
forwardable to avoid vulnerability, i think we can add a check in MIT
Kerberos API itself such that before sending S4U2Proxy TGS-REQ to KDC, if
ticket is not forwardable it will fail in client itself.
I can see that JDK has this ch
On Wed, Jul 28, 2021 at 1:46 PM Vipul Mehta wrote:
>
> Now we know that behavior is unified and S4U2Self ticket should be
> forwardable to avoid vulnerability, i think we can add a check in MIT
> Kerberos API itself such that before sending S4U2Proxy TGS-REQ to KDC, if
> ticket is not forwardab
On Wed, Jul 28, 2021 at 11:10 AM Vipul Mehta wrote:
>
> I have windows server 2012 R2 with all the security updates installed and did
> some tests:
>
> Resource Based Constrained Delegation configured for Service A in Service B
> account.
>
> Case 1) Service A : trustedToAuthForDelegation = fal
On Tue, Jul 27, 2021 at 6:54 PM Vipul Mehta wrote:
>
> Need a clarification:
> MIT KDC will set the forwardable flag in S4U2Self ticket in following cases
> (provided account is not sensitive and not part of secure group):
> 1) ok_to_auth_as_delegate is true
> or
> 2) ok_to_auth_as_delegate is fal
Need a clarification:
MIT KDC will set the forwardable flag in S4U2Self ticket in following cases
(provided account is not sensitive and not part of secure group):
1) ok_to_auth_as_delegate is true
or
2) ok_to_auth_as_delegate is false and Service TGT has forwardable flag set
Am I correct here ?
Note, for MIT I think we don't need the NonForwardableDelegation flag,
just need to behave as enabled and let the plugin's get_principal()
add 'TrustedToAuthForDelegation' if the list is empty. This could
simplify the KDC code as we don't need to check the PAC's
not-delegated flag, although some te
On Tue, Jul 27, 2021 at 1:17 PM Isaac Boukris wrote:
>
> On Mon, Jul 26, 2021 at 10:17 PM Greg Hudson wrote:
> >
> > On 7/23/21 4:38 PM, Vipul Mehta wrote:
> > > I did some testing with Windows KDC and it will set forwardable flag in
> > > S4U2Self service ticket in either of the following cases:
On Mon, Jul 26, 2021 at 10:17 PM Greg Hudson wrote:
>
> On 7/23/21 4:38 PM, Vipul Mehta wrote:
> > I did some testing with Windows KDC and it will set forwardable flag in
> > S4U2Self service ticket in either of the following cases:
> >
> > 1) TrustedToAuthForDelegation is set to true in Service A
On 7/23/21 4:38 PM, Vipul Mehta wrote:
> I did some testing with Windows KDC and it will set forwardable flag in
> S4U2Self service ticket in either of the following cases:
>
> 1) TrustedToAuthForDelegation is set to true in Service A account.
>
> 2) Service A TGT used in S4U2Self has forwardable
Hi,
To perform constrained delegation from Service A to Service B, forwardable
flag must be set in the S4U2Self service ticket returned by KDC to Service
A.
I did some testing with Windows KDC and it will set forwardable flag in
S4U2Self service ticket in either of the following cases:
1) Trust
Did some more digging and found out following:
Service ticket used in S4U2Proxy need not be forwardable if resource based
constrained delegation is used i.e. principalsAllowedToDelegateTo option is
configured on Service B.
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/dd1b47f
16 matches
Mail list logo