Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

If Machiavelli were a programmer, he'd have worked for AT&T.

devel / comp.protocols.kerberos / Re: Query regarding S4U2Self protocol extension

SubjectAuthor
o Re: Query regarding S4U2Self protocol extensionIsaac Boukris

1
Re: Query regarding S4U2Self protocol extension

<mailman.0.1627381043.4484.kerberos@mit.edu>

  copy mid

https://www.novabbs.com/devel/article-flat.php?id=111&group=comp.protocols.kerberos#111

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!.POSTED.pch.mit.edu!not-for-mail
From: ibouk...@gmail.com (Isaac Boukris)
Newsgroups: comp.protocols.kerberos
Subject: Re: Query regarding S4U2Self protocol extension
Date: Tue, 27 Jul 2021 13:17:07 +0300
Organization: TNet Consulting
Lines: 30
Message-ID: <mailman.0.1627381043.4484.kerberos@mit.edu>
References: <CAMeQEL8+JGoqgh-j62duJBMLLoOKVPEZRWbC4mxLtdB-3ggwtw@mail.gmail.com>
<42a3d4b0-3461-5342-bf83-83475f3a0473@mit.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="pch.mit.edu:18.7.21.50";
logging-data="32492"; mail-complaints-to="newsmaster@tnetconsulting.net"
Cc: Vipul Mehta <vipulmehta.1989@gmail.com>, kerberos <kerberos@mit.edu>
To: Greg Hudson <ghudson@mit.edu>
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=U0PGvvqkYrTSO2efjaHYcXLkPYMrrAjdgM6tYra66kHY2bbkTrAG9P10CJRE33kDrcoXOVdk0moumI1YsT5u7wVbcXkqMnVAa36QMsCE6Thao7u831MZ3Ttgw7jqTCH3egdff7K8o+wkZQEKl6Vdep4x8iNW5sYNs1ocm/52ZKbBW3fHxfb4uD2DTpuvLW+5fFKur2k4UQlI4zrv7ozG49qvVMW80GwI63XfzIkGW+y4L64lgt6ZgGKXqcik0Tf0TmcWbRpGUkgWQyfZXZpc23jbrze9Wk29CroBs1lkeZeJfnPIzUNQ8kKIPoHHcHROxSVnoBVlrxjZQuonREJOvw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=XgfC1y+ndOSnJgRKbrCT9rljVe1q8Ny5vkGKuJBsKts=;
b=gSBraI5etTq/a4xFFFrbK8j01Y05jwmv1f7NyqlRRvBk+lu4ssk072ON1HIIsmKtWa6AjbmKvVbe4EmPNJfYFstskKRk3ws2nzp1yAYdZ615pEnBYBepuVOEzrvtsIsnAPLcftm4nQwRjncguP4CTz8qjaKod8w4g0YFqpP/Es/K9FkkKTtNkRbRU7Kqh16OXcKFmUJy5CHzyXprmNuYC9ooLKc9fF9AZDV8Odifw+V3JBylMM0i0afJm6Te8OyhvcwPbcIkEWeK8+clh6IB6DRMbkI7HyHGZMIW28W+4JrXlkikDkNPJ7kPXEWKpnMzWy6ltRQezunyr4Z259S+Gg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none;
dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=XgfC1y+ndOSnJgRKbrCT9rljVe1q8Ny5vkGKuJBsKts=;
b=Wv3X5EiblGnwMcJM/a6WNFWTYVDLVtUD3CPnILnqsM08KpEhIoMIKT15URnEu07Rw0gn5dinsByBk/3WosaJhTnf0BABgrL6Ts6KOq1eoOOfWKx9vQFogdyfI9N7WhX25+DFDC0NhKT9EcW3YmlhFnJtR0dcKv1OGCBuioIOO7c=
Authentication-Results: spf=pass (sender IP is 209.85.222.174)
smtp.mailfrom=gmail.com; mit.edu; dkim=pass (signature was verified)
header.d=gmail.com; mit.edu;
dmarc=pass action=none header.from=gmail.com;
Received-SPF: Pass (protection.outlook.com: domain of gmail.com designates
209.85.222.174 as permitted sender) receiver=protection.outlook.com;
client-ip=209.85.222.174; helo=mail-qk1-f174.google.com;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
h=mime-version:references:in-reply-to:from:date:message-id:subject:to
:cc; bh=XgfC1y+ndOSnJgRKbrCT9rljVe1q8Ny5vkGKuJBsKts=;
b=FyuO6NyTLNcSKZSbAjJqXLkOP9XzE0FLxy+9Cy5cxjqUE7cmnPOmlDQ8M8oyq/Fo8+
ZlCulgk4cTNNyn92D8Hrkp+yEQfPRAta11toO1xquHFCU5Lvea4vliOZiICfZLWZBhsl
5enRuUB7A/uH0jSPh+EsG7Gd1tLqkSyAgP8BBOMfH4i8nRigyVSKNRjsBlJZuzIQAAPt
GlMkrNeFvTLhnnb1rB36ClZhmDGIdExBgQKRTicV3waUfD4MzwP1Y+LZJ9qruF+vd8kk
DBnqAuj1Sf1oHsojnCZVp7dXIDBf3E53rUOF+V5WNKQsh4JBg+d1iGMW2+YeRiZ+kD82
STuQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:references:in-reply-to:from:date
:message-id:subject:to:cc;
bh=XgfC1y+ndOSnJgRKbrCT9rljVe1q8Ny5vkGKuJBsKts=;
b=fb3mcIXuezVLi5ppDp8FHmazbEKLPPEcIsYE8aVAcNivBLcSvNAY5B+PH3g1dzFM8E
eK3nyFGAzF5xjv1zdqnwZ285lbM9+ny3QbnQ2TKBrumWVY3ybHaFgiNngX8dpZjF3nT7
8fob5scjKItDt951/MfUL5tLh5c14IZiXhCNrn60MD4Zo9xy6ruE6OlBC7weBs3ZkC1T
3JdlkDsGvzzvJuDkSNJrmNhqiQ29QEe50EYcmr5m1g2B75SoTT+dQtPffBRnai/7bZh8
eYdhxUVjz7XMoJwSnJNWFS0FPTOu6LpeVBpGJcRCfawyCVyqGuih9zA2nWHwXNpFkx2P
xw2A==
X-Gm-Message-State: AOAM532Iv/ULvoZzKJV1FSDbPIt5ZMLmxtWQ4hNwS7YvurW2jiaARiH8
NKyQ2OobSI/YWpZfYXZ8E+f63V02Ij0Q3kERNukQD9MkTl8=
X-Google-Smtp-Source: ABdhPJzz2BaF6uwrWIF4YP9iemeKuKVSQrcmiOwqwVM/+TxPE1hl9COkXpOaFjMezIVXIIUOG4MUlqyur4tAja09dwA=
X-Received: by 2002:ae9:ebd6:: with SMTP id
b205mr21160270qkg.129.1627381038624;
Tue, 27 Jul 2021 03:17:18 -0700 (PDT)
In-Reply-To: <42a3d4b0-3461-5342-bf83-83475f3a0473@mit.edu>
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 9071e725-2945-4e0b-e8dd-08d950e7b782
X-MS-TrafficTypeDiagnostic: BN6PR01MB2227:
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Exchange-Transport-Forked: True
X-Microsoft-Antispam-PRVS: <BN6PR01MB222773BA85FB5FA6D899E3E1C9E99@BN6PR01MB2227.prod.exchangelabs.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:9508;
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: X4RHJQOBBVN1U7Gi841F36hZxNsy5XFIejh1QhDJRK5P7ADpS45ub0Bgy7y7yE1sk4HwZLR5Lu9rsEZPzPHh7rkoGt36HVzKwKfPTJDv8F4YfNeCZOSmsnWBQ/gNrdqAYZKT5fNWJ4kjH2XRnzZOX/ABHWGE1a82ieQ1msBrJnboWxWIIrEZbTBRQMFlpI9Gvx8haE7v0J2plUN4FcW7ZlVjfnhnF2TRydnrPaFTYbx/7GaD02cZoKSNrHtDsscuIl7YrwWmPFCct/opXz31+TH3IO67jr5BW++M1Np8nVaF8MNy253+PcclGEoYU6r/G/Ic14vOI7kFLk/k/4BXDETERe+hihlau2zHnzowzluHC+5piSdt2HgNu4UzlvDIeE5u+gpBF6D0nKnsKvNClXDBaLJ7oDGh2qb5a4D/EqwM9/ycs4OOPsqqrBO0215gESouw+u0yDH8yRouXvQD38V8T+fkHL8AY7y21UugDDLTsK4LdtfhFnxFaATGgwCoxijm+UaSL0lH8QVFgA9PlCy0Bzx+Ja/JDc1D797zvnT9L4RZBbikN23scmqKYLHKKQ5M6CTbz/1QcRbAFQvSazQiLarJmjS+cW8wqMo6CJeMXP248GxEp4ZIPWozaMWbv+HDUlf91WlXybNVFI46DlpErire7ZxFymLh0fOyldGyEz1KhBr0uyGla5Y4T8VJq186y6nltKmaZYkwCcI8DQ==
X-Forefront-Antispam-Report: CIP:209.85.222.174; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:mail-qk1-f174.google.com;
PTR:mail-qk1-f174.google.com; CAT:NONE;
SFS:(4636009)(39860400002)(396003)(376002)(346002)(136003)(70586007)(68406010)(42186006)(786003)(316002)(55446002)(356005)(4326008)(966005)(6862004)(498600001)(2906002)(76482006)(54906003)(8676002)(82202003)(83380400001)(73392003)(6666004)(53546011)(336012)(7636003)(7596003)(86362001)(5660300002)(26005);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 27 Jul 2021 10:17:19.6083 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 9071e725-2945-4e0b-e8dd-08d950e7b782
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: DM6NAM11FT038.eop-nam11.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR01MB2227
X-OriginatorOrg: mitprod.onmicrosoft.com
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
 by: Isaac Boukris - Tue, 27 Jul 2021 10:17 UTC

On Mon, Jul 26, 2021 at 10:17 PM Greg Hudson <ghudson@mit.edu> wrote:
>
> On 7/23/21 4:38 PM, Vipul Mehta wrote:
> > I did some testing with Windows KDC and it will set forwardable flag in
> > S4U2Self service ticket in either of the following cases:
> >
> > 1) TrustedToAuthForDelegation is set to true in Service A account.
> >
> > 2) Service A TGT used in S4U2Self has forwardable flag set and
> > msDS-AllowedToDelegateTo list is empty on Service A account.
> > I am not able to understand why msDS-AllowedToDelegateTo needs to be empty
> > in the 2nd case.
> >
> > Is the behavior of MIT KDC the same as Windows KDC ?
>
> We have an analog of the TrustedToAuthForDelegation flag, called
> ok_to_auth_as_delegate. We don't check for an empty
> allowed-to-delegate-to list.
....
> https://support.microsoft.com/en-us/topic/managing-deployment-of-rbcd-protected-user-changes-for-cve-2020-16996-9a59a49f-20b9-a292-f205-da9da0ff24d3

Now that I read this again, and read again the "Additional
considerations" section in that link, I think what might happened with
this change is that now RBCD requires the forwardable flag but any
service with an empty msDS-AllowedToDelegateTo to list, as Vipul
remarked, gets treated as TrustedToAuthForDelegation and gets the flag
(presumably, unless the client is in the protected-users group or has
the not-delegated flag).

I'll run some tests and check it with dochelp.

1
server_pubkey.txt

rocksolid light 0.9.81
clearnet tor