Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

Nondeterminism means never having to say you are wrong.

devel / comp.protocols.kerberos / Query regarding S4U2Self protocol extension

SubjectAuthor
o Query regarding S4U2Self protocol extensionVipul Mehta

1
Query regarding S4U2Self protocol extension

<mailman.1.1627079070.10749.kerberos@mit.edu>

  copy mid

https://www.novabbs.com/devel/article-flat.php?id=108&group=comp.protocols.kerberos#108

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!.POSTED.pch.mit.edu!not-for-mail
From: vipulmeh...@gmail.com (Vipul Mehta)
Newsgroups: comp.protocols.kerberos
Subject: Query regarding S4U2Self protocol extension
Date: Sat, 24 Jul 2021 02:08:21 +0530
Organization: TNet Consulting
Lines: 23
Message-ID: <mailman.1.1627079070.10749.kerberos@mit.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="pch.mit.edu:18.7.21.50";
logging-data="23247"; mail-complaints-to="newsmaster@tnetconsulting.net"
To: kerberos@mit.edu
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=N90TY1yR1OHEOst17FHW9rtWpS733hTHfTWiFca4ETChtcXImRmV32tmHyU4LAvsybtvRJMZgz2WawKQZfEvNSHyZT5qK1Ag4LZMtEYr7pGS+hAgRL4W2SbWeamoAJ7LXnV/a8dQD0crxz+mNte3vEIJ37FoB8IcEaOooi8uVfkSpSJpM2qiY/2AweQMtYYwcXz8SO/RqF5bnJWNByRLNnphBp6UqGZFV3qrzWQpwAeP+OTNiHDuOzj5Y3EmXpI0xPGbwa2fqtYp8T1xC1vLE7fbPHIWkACe3yKJN2dzLPbKXTAdg2fcCkmtTsKen0NAJb6VnFGoOI88OrNCDCNeqA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=y3FMSS9+vQv5CD4AD7GDjff8CHSxpwqHtzXuWnn7IhE=;
b=V/r1ZvpGV6PRDnXWimyRAoLL5TKvPTi1XOw+SVRLzweIg56IDToJ9Af8BmbasigESxblL787s5+LfCewGbBQQTfNlaLeBH5t/LfU62DoasuwA2YKxfW+S0UOKEVqQ0qeNg8CmZt+wPOhGANiJ0wfCpseHOMIr3TMUlTnX9wcNagAZ5nmuZ9IkRK15LnBHEhw6s2Q6IpRbNij2YJc/nb/ZTTG5XAhfqvorn3CxO4f/ZG4HOmD+WwSURKtc/NdsiEAKnVk5duw72/e0TJhnAKzneIZyibU8q2DNIT8OtP7BI4xxrvZkmKuwBKp37hf3wbnO2oaqcIdJI6gOeoA7sT2YA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none;
dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=y3FMSS9+vQv5CD4AD7GDjff8CHSxpwqHtzXuWnn7IhE=;
b=cuVLK750tQMVGLZQu56RJY798aibvQXxuRgiYO1Bq2HVHXe1Fa7Gv5bT9yoKjd+Yjmm3PgeGSA6pVFOe2CoL5jnNk25ByWnjI8HWA93tGCw1XX4kxhEtnbMNzKcIm90gDHxoknk7cVY64m1xXwR6Z6mq8YxNfdpdrBJueoBqpSE=
Authentication-Results: spf=pass (sender IP is 209.85.166.43)
smtp.mailfrom=gmail.com; mit.edu; dkim=pass (signature was verified)
header.d=gmail.com; mit.edu;
dmarc=pass action=none header.from=gmail.com;
Received-SPF: Pass (protection.outlook.com: domain of gmail.com designates
209.85.166.43 as permitted sender) receiver=protection.outlook.com;
client-ip=209.85.166.43; helo=mail-io1-f43.google.com;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
h=mime-version:from:date:message-id:subject:to;
bh=y3FMSS9+vQv5CD4AD7GDjff8CHSxpwqHtzXuWnn7IhE=;
b=sDd/UGWG9BZIhcgiWZ/66VwDyJkz1EXNWdXkrUlNX+q2I7wNZRgkpTsQuiE8p4CrW0
tF9rJ5vWn5PPCnQWyy1AWLQ0FyPM54M/9/ZfD9jD0pKULONzz6JZLVk0CFpMEy5X2R5z
qgszljReMSwAY6lTV9FRAHuNzAO6EyPdOR5E8EnnFY4Q9T+N7rtD52pDeJmJF08v31sF
RF1yZrSGR2wgAFblhk9XiW5uAiMHjOEa4tMvjm/HpRO/WLdeZZy/Aq/K42giGg77/REX
DnRHZKooicAvsztJ8KqefZ2liL51dMDiA8W9dYh1CoNZfdbOCe/U4vadhhgMx/Js7957
C3Lg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
bh=y3FMSS9+vQv5CD4AD7GDjff8CHSxpwqHtzXuWnn7IhE=;
b=li50pXxA0f5D708H3rye9NM3C3gEH156orEDxdXHNrvtUAZl7LLE3mZKfEpQTpjqXm
Eq1HJbZqWCB979DRahg4wkW1BdwDbFQrxUGDIgOfm7UXJVDmDwvt4zP6bEQ7G1UzkMi4
UGGyeepwm05YGSYtJi6gFcRhBepSgUTNxuxe/nChqrctpYPOtfHVpKiMsNkM72lXGu3/
Acm24ZRMSFJLNmSb9ApiKaMyhMljJ1GoNO1bx3w/RNBEkooIE3fOOfnTkL5PMnupC0eQ
cNAhefYunu/X4NdLWwViO9LltOX/o0YAEYA7OifXvpQqAgsWL5dApRQoipm05y/mJ8l+
/oGQ==
X-Gm-Message-State: AOAM533gWu3wVWsm5+SLJ3f7aYw89ekOvieyUtXtM3ZFb+jHL9Q2Vrki
tB4R38YiwOBYOkd/DqQRVXX+0YZef/Lt5oSXZWWYg1WF
X-Google-Smtp-Source: ABdhPJy5ref2MtEI9tGxqGe/4iVohv9h52gMld0EX+KNUDIJwtWWjwEuhp8I6XiUk96XmYRLP2p4B1nFA+SPbduGtJI=
X-Received: by 2002:a6b:2b44:: with SMTP id r65mr5087706ior.99.1627072712564;
Fri, 23 Jul 2021 13:38:32 -0700 (PDT)
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 08ef260c-a92b-4c09-06bc-08d94e19d6fa
X-MS-TrafficTypeDiagnostic: DM6PR01MB5690:
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-Microsoft-Antispam-PRVS: <DM6PR01MB56900DDD4CEAA17DF0148F4CFFE59@DM6PR01MB5690.prod.exchangelabs.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:8882;
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: ISoICxKVIf95GYgujEODcHOCDntCOmLsgm2/fVu5OtT+z3mwHAtdamQpu9BWZ1RhHaZUvWK7GWe9UEPFgICUKjCXt9kVKuRaHwepN1sSJquLDojuzjGsiVNctqQBG4/wEDdh4CvQoHgrXi+ngmoQhpAn+vdlLzrx1pbpPoS33dnGGpxVrkeakEMHjPSlDj5I3iUpHP0uoOnQI4Wf9JzegF0EC1PyrT/6dN/LiWNxwdX5oryZuWOORMCXfcbpoM75Yc4J5jOld3YsjK/cjUB2aMUTIVugAHl6likTaqgBARfVKND3Q2UH9hqLQ+l9qFq4bFiDddbi9KXGi36qRHGDIe9Hqslk/eXcZyZejgk7+Jqq3r3jRZpdfF+en2outavYF9HUEoBOV8l5aMyaLQek1jaVImJn8watrqKWM4UsxOCOtqtLpz4yzfFj3UDsd+gFT+7zhBUL5bxeoh7kGysUptntSOhtVvkfCfaXRhjq603ipM07Kyb14QS3QdOlYnWUsysBNFGcp5XqYKOhDPSnu99WzeslyQ4bqufu8mpSpI+hacsnoiXTHbuCznyM/w7OwXIsxpXM2nGFiA7JWinfeZCveqWOz9K1bDQij2CYytI=
X-Forefront-Antispam-Report: CIP:209.85.166.43; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:mail-io1-f43.google.com;
PTR:mail-io1-f43.google.com; CAT:NONE;
SFS:(4636009)(84050400001)(34206002)(86362001)(7596003)(7636003)(508600001)(55446002)(8676002)(26005)(6666004)(33964004)(42186006)(76482006)(83380400001)(5660300002)(356005)(73392003)(336012)(82202003)(786003)(316002)(2906002)(70586007)(68406010);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-Transport-Forked: True
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 23 Jul 2021 20:38:33.7474 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 08ef260c-a92b-4c09-06bc-08d94e19d6fa
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: BN8NAM11FT006.eop-nam11.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR01MB5690
X-OriginatorOrg: mitprod.onmicrosoft.com
X-Mailman-Approved-At: Fri, 23 Jul 2021 18:24:29 -0400
X-Content-Filtered-By: Mailman/MimeDel 2.1.6
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
 by: Vipul Mehta - Fri, 23 Jul 2021 20:38 UTC

Hi,

To perform constrained delegation from Service A to Service B, forwardable
flag must be set in the S4U2Self service ticket returned by KDC to Service
A.

I did some testing with Windows KDC and it will set forwardable flag in
S4U2Self service ticket in either of the following cases:

1) TrustedToAuthForDelegation is set to true in Service A account.

2) Service A TGT used in S4U2Self has forwardable flag set and
msDS-AllowedToDelegateTo list is empty on Service A account.
I am not able to understand why msDS-AllowedToDelegateTo needs to be empty
in the 2nd case.

Is the behavior of MIT KDC the same as Windows KDC ?
In my test, I have configured resource based constrained delegation in
Service B (principalsAllowedToDelegateTo).

--
Regards,
Vipul

1
server_pubkey.txt

rocksolid light 0.9.81
clearnet tor