Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

The light of a hundred stars does not equal the light of the moon.

devel / comp.protocols.kerberos / Cross-realm S4U2Self with AD trust

SubjectAuthor
o Cross-realm S4U2Self with AD trustJonathan Calmels

1
Cross-realm S4U2Self with AD trust

<mailman.59.1681425072.1964.kerberos@mit.edu>

  copy mid

https://www.novabbs.com/devel/article-flat.php?id=342&group=comp.protocols.kerberos#342

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: jcalm...@nvidia.com (Jonathan Calmels)
Newsgroups: comp.protocols.kerberos
Subject: Cross-realm S4U2Self with AD trust
Date: Thu, 13 Apr 2023 21:51:38 +0000
Organization: TNet Consulting
Lines: 102
Message-ID: <mailman.59.1681425072.1964.kerberos@mit.edu>
References: <BYAPR12MB28886748C59BFA5E09088C89BB989@BYAPR12MB2888.namprd12.prod.outlook.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: 8bit
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="12161"; mail-complaints-to="newsmaster@tnetconsulting.net"
To: "kerberos@mit.edu" <kerberos@mit.edu>
Authentication-Results: mit.edu;
dmarc=pass (p=reject dis=none) header.from=nvidia.com
Authentication-Results: mit.edu; arc=pass smtp.remote-ip=18.7.73.15
ARC-Seal: i=4; a=rsa-sha256; d=mit.edu; s=arc; t=1681422730; cv=pass;
b=ToRC3D5KE6lsUBTHDkkgrUATcyMw7clPQdFV6fr7vtFbjP4HxH4d7TlIoEcEV0YY7rgIPMWEIS92sOs6gO9Z8oGI8UHcqe/wnSg0mN7Qi7AuGJnrrZE/TqJGGUNNdfQYDte5ZlWRc3RLFriGVJfY35mJDl1M2wZK+sl6mywERnWGRD3jkyV8eFW8Ix9e+5dsYmPyEaa9V+Seu5BvC5dCphd5K+SqnbMTGuUgyHJW/A9WgRIlMEz7xO5sgZH9jnA6eKL5pSwJLg4iUTjb9LzzxqFQBom4U6gMredoTUTdN8oytYjwjSeRkeN927sRfddG5gUMU6JbpbjvuJUs7d/pow==
ARC-Message-Signature: i=4; a=rsa-sha256; d=mit.edu; s=arc; t=1681422730;
c=relaxed/relaxed; bh=Af5wvOmeMCgoiXR5QNmxrA3ktU8R7q94xjRjCaoYEJw=;
h=DKIM-Signature:DKIM-Signature:From:To:Subject:Date:Message-ID:
MIME-Version;
b=YIsR2s5pbb6DMa1gSO+HHNDra+tbvppUaJMJBYXnBayR6/4/9vjhDiOMJPp5BsEO+NnvYVO27tKimyMG4AiYKEq52ulCIFHE5bP2eaAOnGAqXGr726vlaGVJa284pCU1HZZCwilFFM9rxGs8JyYqVcpA1bXMlxf3L8OTnXwlg9Yxo6D+NiG67cViOCWB2TbJup3/wwvQKjkCUU7vGBcgeZLblCpYS0uU5nc9LKJVat2jWnxY8rrVMeAIXCESaHa3Lb3a7tmGiVlyddBoC2B3i6Kof7wFPeuGwlwChWe0lRTiaR6+F9Lhx/BPmG4Zoty4uNBS3O+LhNJ1QqFN/iD7DQ==
ARC-Authentication-Results: i=4; mit.edu; dkim=pass (1024-bit key)
header.d=mitprod.onmicrosoft.com header.i=@mitprod.onmicrosoft.com
header.b=hy6eJhd7;
dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com
header.b=Tdakfvrs
Authentication-Results: mit.edu;
dkim=pass (1024-bit key) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.b=hy6eJhd7;
dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com
header.b=Tdakfvrs
ARC-Seal: i=3; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=pass;
b=bExvjjPHdM7FXBih1zKH5HLFsjaDXtMWXlOrDfZgUR8SJstU236QIY6gqnqBLpZpOSKrHVeIhK8KorqB+dXjsd6SKEe0ssk5z8HZVYh9wQFdhyC07IJS4pFsC5fvDJnbGwmpBn8Kp9UwXENiX/NqR/B8Z2EJl5aOGjdPI+YjAJyZzAOPIRiOHctSczEJiD/VwEaGCOaa07hnsE9SBnw2SlQMnGPtW5ibz3Dprn2FUbf+dOvMgrcM1HZbp5YuXddtb6aHff0bPp8oRzy6AeymkSh8VJEzrrbKMgoRdCfG4c7VmWdBOSXa71R2rqX61KnmoNCPKD6B8diZkO4YhLZMSQ==
ARC-Message-Signature: i=3; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=Af5wvOmeMCgoiXR5QNmxrA3ktU8R7q94xjRjCaoYEJw=;
b=URQjzPJZFB02V3+rS7qrIVbNndVPJFeFCzpM6EChPLYR2ihIG2/bLe0+0PRmNav5GeiHJpX8vdWyayLHIfXDi38yQs893GquqHKFmWZtuTfgLLp/uTz/stH4SSOgYFTipUISb9cHHSr2ZgEBZ0hyTjiaHs2KKTdZYE+hdRTdbCa7ahmwgCJe/LwD8GK+TyP2bMKaA+bU0E36YOxRgTjiHgGViogynC2sLRuRD1Z3fURK6kqfuy8GhZvSR1MUXnQaoMinz5xnQlMy1w+ErTcPnV4TXDtysMxeO82o2Ll8LPk8ZTZ4OgF5AhjPDfZ7sTxM5hwGaTD6Cyzr3Is7oaEkbw==
ARC-Authentication-Results: i=3; mx.microsoft.com 1; spf=pass (sender ip is
40.107.237.65) smtp.rcpttodomain=mit.edu smtp.mailfrom=nvidia.com; dmarc=pass
(p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=pass
(signature was verified) header.d=nvidia.com; arc=pass (0 oda=1 ltdi=1
spf=[1,1,smtp.mailfrom=nvidia.com] dkim=[1,1,header.d=nvidia.com]
dmarc=[1,1,header.from=nvidia.com])
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=Af5wvOmeMCgoiXR5QNmxrA3ktU8R7q94xjRjCaoYEJw=;
b=hy6eJhd7e/B1sI9uzCiGKty++NIBSUQlTAsb+JiwuXAo+kewTjXjAYWIu15WPmOK6xSQsXiQXm2ZQ2b2x3BB0kyE84mkNbi8u0DJ2zeiJT50/HLp97QbfY1OT+0YF/K5sU1hXnMP4NxrXOIMDvKWHgjwvg/y7XJjJNNz23/0k38=
ARC-Seal: i=2; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=pass;
b=LvBk2HMu+z/QA2lJRt56fFH7zKQHhN1GcX1+aWHWp4P4bRB1N+4rC1CMGCr3Vt4VUsGMb0BbiFCgGjGkThoVRKjT8PyiJVBuwf7zZ8WnPuccGlcprbIRowF2zRWPEjb0MDPO8k2SA66I2iRldHFFPnwV9GuBwBVREM7zeih2G+DupTwHdI6VX+7MyxjAEH33sMIaM0qFUz28aEpmR6hI7Qbuh4MbxCagQZ45e5Y2QrcMN+P1rq4hIGePxbHtlYtjhvhrDn3dy91f6CWvUsb4xFCW7CJbepkq4Pij39XcjbkVxUpmSgznNSNwrm0mq0kDM3pAaHsyHBik+yBjjDwwTQ==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=Af5wvOmeMCgoiXR5QNmxrA3ktU8R7q94xjRjCaoYEJw=;
b=Hw+Tza046BsAm/zhGyCB/+fqNNIJLAkv5e5iyurJ0LcxBNTYOAIDd25dsRECP0uzSSpONW7KkMs9NDoBuxTcRZKvQKoJ2RZgMF2b/CiJ59hbWRIAstqYJRGmMgGrNTuMQ0EQs1vs7LreRLh/SgT7oOMJu1D3aaXBRElrkH76PX0FeXfmmCSoRb9ntq6RhoVXcviOFJUR/xCnqu5BZ4zotzEi1+VLiE8iU32FgurvRsvewvUo093Zl+QjVtKxTEmPGyywp/mWISp6al1A8zp8i0+d/AXty8ZzmoAgkzLFYHfYbJNf57HRKXqlzW7DP0MTElqtrBmDfWTYJsfVIqsXVQ==
ARC-Authentication-Results: i=2; mx.microsoft.com 1; spf=pass (sender ip is
40.107.237.65) smtp.rcpttodomain=mit.edu smtp.mailfrom=nvidia.com; dmarc=pass
(p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=pass
(signature was verified) header.d=nvidia.com; arc=pass (0 oda=1 ltdi=1
spf=[1,1,smtp.mailfrom=nvidia.com] dkim=[1,1,header.d=nvidia.com]
dmarc=[1,1,header.from=nvidia.com])
Authentication-Results: spf=pass (sender IP is 40.107.237.65)
smtp.mailfrom=nvidia.com; dkim=pass (signature was verified)
header.d=Nvidia.com;dmarc=pass action=none header.from=nvidia.com;
Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates
40.107.237.65 as permitted sender) receiver=protection.outlook.com;
client-ip=40.107.237.65; helo=NAM12-BN8-obe.outbound.protection.outlook.com;
pr=C
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=a3LZ21AEOGlmk0SE8ciNrvOkrOq+O/YHIBv3d/C0Ce/5FprNycTkbmAOctEGLgCT1JaWTjmnx5mQRFUFZCDRCiqL6mY6ZfXe4LRXGM5ZAllpc2OuQ8tqNFpajfUxn27po2QAys3fParmsrawsE25oAPnBp+W4sUvjLxNORIgIuUpWbmSbhPbPtNZbiL1QLDfdhv/90eQiskbkfYR5qgXY9gUf1MzEZ5cHG6q5UNdXDoUPUiy7sGDUMJTSkiZDvlTMZkhJ4VJtADR1RJGpdUMUQKuRHFJ1gFNsiYrjqbvjBTnu9R+kdoQj9Y2WWrNKVF37r0LfnvoqGqPpg2px3NjIw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=Af5wvOmeMCgoiXR5QNmxrA3ktU8R7q94xjRjCaoYEJw=;
b=V2++sgRhYUSK3uq3sdOX2fRFF/4hDeWuWth7tF8igdyVXGs5NP82beyUS56tFLR5sVhsplA8lqmWVNV4ZpwHfTfM28Mm4ArE7sU/2MiYOSX71I0tEo/NGGvdDaUW0iqTGKd6sq5lpsZ9I9pQz9I+EJGtUcMq64dAKyH8L+nSl7PDS85xQQwzgKlbDi9gRa9cn25WxILWCjpZzKr3SBZFG+CJT+pbMxeBgvHR++MBNm9oqg770Z2n/Db5tSIAPQ5dwGJssR+AUu8U0AbDDXr2Jxpi1i9yijn4LRmKzXr7Ep1Mo0Cu+10UmLU8L2FVuw/3I9Pjql322mOHjIvcrwsOxw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
smtp.mailfrom=nvidia.com; dmarc=pass action=none header.from=nvidia.com;
dkim=pass header.d=nvidia.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com;
s=selector2;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=Af5wvOmeMCgoiXR5QNmxrA3ktU8R7q94xjRjCaoYEJw=;
b=Tdakfvrs43+H6TeIAox3jkvmpFGnJqHt5u8EjI4SmMNlNNTMoSSjPO1GkwhT7OyVoar9NQnuFOYoch8ycpxamWqOp/A4BVIBOUN6tWRpXbMi9GRicbl7LuV/QxZOrJFqFzjShZUg52QTpSkfqstePO6Cq2tivKON93fNwn3uqxgCMpmyDUkRGcL2XEXD4/6sQIBMUqd0Xl1skh24MzOXac6oNJyRYD/NxJEsYBH9sUb+z3jy+ocPKlYPIeg6aTs8/M/ZZ1LRZKlGUtYMdoudVd6mpKIF4DvIXWyrOAPNLViVejfLMGAqrJo8KrzVU/L24rRbb7TKFQkyOw8BhMCheQ==
Thread-Topic: Cross-realm S4U2Self with AD trust
Thread-Index: AQHZbkuYkbFmkBeYD0OyWDg5a7KEkA==
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
Authentication-Results-Original: dkim=none (message not signed)
header.d=none;dmarc=none action=none header.from=nvidia.com;
x-ms-traffictypediagnostic: BYAPR12MB2888:EE_|SN7PR12MB7419:EE_|BN8NAM11FT074:EE_|DM6PR01MB5561:EE_
X-MS-Office365-Filtering-Correlation-Id: 91d63e45-2670-4cb5-377c-08db3c6943d0
x-ms-exchange-senderadcheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: 5ykOCWNPWXR1XRUAAgGwnsqxhUlG9zwF6MhbYGb/mQnyYowClt4xIGGPv6ShKR2aMBpPtFaH9AevOhOc8yG4jjoAXF+FXUbrmJSBbP9CuUd/CAzoDk+alK1Sw/klWCmjZJyBjr+9cAbDxZFQDnkfluLUgoKYr7g9hv0u8ZAzzDqbNrMVNQln01MXQ+YJ3JKUgIBhZnPH5xse/js6Ct/IlwUX6501znLjCO2VZjTrUQxpzY1y0I0ALtSJZYtdoZjz/9hx4saHMrrnW4AZRe+CuNFc1NBQ53Kd3XxkoA2FjmhOkgawbXDJNHTrI6+NQECTJmmw4PxGPBUCqDE/QbXgebnwxQlROdBYkpBbRxeKoKMTFrkHwg9rEBJ+LgOIOKuNt+Xznie1KeFa4xD1bVtuzmN+6bK8KSBywNGP85ut6YCXC7wUQdPKjL3Aopbksvbn/gBfyKfMumCpNpgsp63hTKcMTfJVnJ+iuykMevWkLK2aZfoytMeAwkxkTJoHekkvhp7D7WB7i7eAXslOoCu1tW7PpECHweG3FAGhJTV4wN61tqcKJlXYcU7sKoCvmuXMcsCsDsrJ4rOiZV3FANYSXTkbBieU4509hco2KDz8K6A=
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en;
SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BYAPR12MB2888.namprd12.prod.outlook.com;
PTR:; CAT:NONE;
SFS:(13230028)(4636009)(39860400002)(376002)(366004)(346002)(136003)(396003)(451199021)(966005)(41300700001)(71200400001)(7696005)(64756008)(8676002)(6916009)(478600001)(66556008)(66476007)(66446008)(66946007)(316002)(76116006)(33656002)(6506007)(26005)(9686003)(86362001)(83380400001)(8936002)(2906002)(52536014)(55016003)(5660300002)(122000001)(38100700002)(186003)(38070700005);
DIR:OUT; SFP:1101;
X-MS-Exchange-AntiSpam-MessageData-Original-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-Original-0: o+c2qtPdmpf8yG6XBL+IL03oWHGiNh0poQUXAcKn/1H0zvOl4N45aMrK
OdRs4PwRlz7v/+eNPnywHZ0DslXRdxRW7wFb+8AOMKqEF5QqsvSo5sUT
4M7k9DbznQUiTl2HJ7Af5aHgGE+RUMd/K9q0cTmGqBWGHCuxSjq31IiA
aRxS+037Jn0JwwbbGzMi+W1gY5zP03yYMFGGt06LdDfqs9JHA9SK/trT
IJkRdvQwhQCNzEeboF6bOWDjy1eZYJg4DgaED61W6c6JnguRfgXuPqVp
wgQKkAMBZcIq95I65KruXmV9C1nW2a85JuzDaRkgRBNtoXny09WuHluk
GPEUpAn2VyEuJTFUpfzRbfJfhTkm7iEj45DNmlhK77ugIx1utC8egEO2
qXiB5Rw3+/qyDdlJQ6n0OXYo/UoKk4giBpjIxJTS4sAa7Dh6ZWjkJdrJ
GqEMa5evOVMmf2+G60RLHjKB4/dPWy9Her59/U3lLdpIa91oLP8QlUZG
Udp6Vrg/As2LljErk5RyypzIcyGbyKHak0tEMqRmyqTB7t9XZzGOseDf
BGu9w1qm6zaEa6clG8ksROtknZFH4xAxeuWGHKtOcBHgxLwTxo+lDB7u
XG6YHrWR4odNRQw6jB54ypHHtvNjLL1UMrf8h7QXPpdXro2E7lgGH25p
AqtsZZZFuSGLHB+u0XY9HdIu0P700i/j/N/t0Sf5lUidWh6qulShuCQ8
+Q/TPfo/CWlCKo2Rz7sahmddMTzJkwxo9aIFwMl5m+N4qTpZDII4ihoP
0ZzxPTT/+b+QLa+0085cN61562y/9jbvN195SR/uafDyj6/0zV2XUX2F
cJsFM/R37gZDDwBIflgizyaKxpkgFBOyJIryOzn3iH7f3Do9zUh1eYvZ
bRKECKEB+Bdj3F3kxPaBMpTNlNSY8a7d6rm2v44hvTm5bWIHW18AkgBv
JVLMoj6b8Ok+QLQPA29tD0Y6lGf+glGXcJohoa0Qg8NKcIloaz7otWn/
kghejU4lrPv8tA/VK6JKXpTL/HHBP+WzeGy250pXYXWmxNFKCNG/dX7X
RhiT5K/KoG3XUOcgz/y1Bpk8lXU6RkGdZW+9XjbF3QfEtl37CzQEC5iF
UYgIXAo7zIan5cassobeaIT3EeqnnZ4MquTb0Hco25xnft01sLyPfTEw
+PZDol/SdpZIPNqYdopHXp3nFdsyGDQdZT2q8rPEt3To7TkCeiGGSyv/
tBetQ+Liukqd/BQNVjY3oalRGbCuUmXWk3HVxKc2o9rUh0eIlbkxJyjN
RGKi7h3wscddbC0kCirv4n8/wfBSKcdAprw9a++yvWna/7ATudFUuKnt
Ke3kTVM9l7WZJ0bzyI11UPsIlkjCkSpNBOg28C5pb5ZVO29/ncWuTJMR
5AZnH5LAG3zGOFvWt3tZP7PyGjCFzU8xAUyBTVvObG4EfklcOflqJrnv
dnLRQzSdmSMx72SsBTgtqDDUMTxENjqjeqpO1rfXxHU1w8UzgTLfa+/6
Hr/5NIGE/wEEh4nAqocV34eI5zzeRQLdx9cJq88It4xtFyC2S34d3TPX
g5zMuBQLJJ6B2i3Y9PQpcWPA1zNPvj8D
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN7PR12MB7419
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: BN8NAM11FT074.eop-nam11.prod.protection.outlook.com
X-MS-Exchange-Transport-CrossTenantHeadersPromoted: BN8NAM11FT074.eop-nam11.prod.protection.outlook.com
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id-Prvs: cbf098ea-a057-4791-ae2d-08db3c694235
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: vGLLpxYHFA7Xsu9QB8+YhNGo06zRSFsYqEEFSt2St6uxknmtxg2BAZPDq0WTjJ+cCdlCVzXvSlEhFQuomOTqHIqvsFhvwZt6zetEVBjKZTlrZGkYwUnI2BqwWGWxTYQhOtiB4FLzsKMzTnqZAciQo1/78MqjyLA7/+7jJkJccplj1ZRr4txD5J2vh63F36I9BPI1iZ6E0gs62UYXljDRt4vjN0i25IvW0mzf7ZZhhjhOguMmn7in4Jbb++RptPmuiVvlyEU7APNQEcn1+pV6DCWtnMnfyEoeFnm+Eu9fH1eOmZDFi3ZPXr+rsUB0rFJzaaK67CNNzTDnsqJMp6nkWdBEiLxKUMO2C2NhfUzLJGNklAcD3gwfFmEG57Cdeluw8ZAVa2OnCnirfhXEUVD/GjjYhEEMInWhyxiZ8zZmscI9QIV8rjcx921ZA1QauZaym4cH1KeuLkHO15iOQI2wZi2k30DA/2+iKCKgY/dM7yDNtIK6g//uyWZ0F6plbiLhVoAn60gxeVHktb4VBJbf65gXAPA91yvO/N/edLv+K9t2/tNGgQ01t0c4cJog6wb3xcb+KN0hVvK64PS2Vh5JompLQg/0ZefUIUGVhjQnVf+8db0O1mfH1aD6u24XrDDF/2r46cIiyLUA5UI6v+J6tg==
X-Forefront-Antispam-Report: CIP:40.107.237.65; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:NAM12-BN8-obe.outbound.protection.outlook.com;
PTR:mail-bn8nam12on2065.outbound.protection.outlook.com; CAT:NONE;
SFS:(13230028)(4636009)(346002)(39860400002)(376002)(136003)(396003)(451199021)(26005)(5660300002)(2906002)(52536014)(786003)(316002)(55016003)(86362001)(68406010)(8676002)(7636003)(6862004)(33656002)(356005)(6506007)(966005)(83290400002)(83300400002)(83280400002)(83320400002)(336012)(83380400001)(70586007)(9686003)(7696005)(498600001)(83310400002);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 13 Apr 2023 21:51:40.8915 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 91d63e45-2670-4cb5-377c-08db3c6943d0
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: BN8NAM11FT074.eop-nam11.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR01MB5561
X-OriginatorOrg: mitprod.onmicrosoft.com
X-MIME-Autoconverted: from quoted-printable to 8bit by mailman.mit.edu id
33DLqBLA586063
X-Mailman-Approved-At: Thu, 13 Apr 2023 18:31:11 -0400
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <BYAPR12MB28886748C59BFA5E09088C89BB989@BYAPR12MB2888.namprd12.prod.outlook.com>
 by: Jonathan Calmels - Thu, 13 Apr 2023 21:51 UTC

Hi,

We have a 2-way trust between a MIT KDC and MS AD.
In the MIT realm, we have a service than needs to perform protocol transition (S4U) on behalf of a user from the AD realm.
However, we're currently experiencing issues with S4U2Self whereby AD can't find said service in its database.

>From our limited understanding of cross-realm S4U, we expect AD to issue a TGT referral for the MIT service with the PAC of the user as described in
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/f35b6902-6f5e-4cd0-be64-c50bbaaf54a5
However it seems like the remote MIT service is being looked up in AD's DB (maybe to check for TrustedToAuthForDelegation).
We tried configuring an account in AD with same SPN as the one in the MIT realm, but it didn't change anything, requests always fails on step 3.

Looking at the request, libkrb5 seems to use a canonicalized enterprise principal name of the form "service/host.mit.realm\@MIT_REALM@AD_REALM for user@AD_REALM" to perform the request.
Is this accurate? (I couldn't find the reference in the S4U spec), and if so why does AD think this principal is part of its realm?
Are we missing anything configuration wise?

Logs and excerpt of the request:

$ kvno -I user@AD_REALM service/host.mit.realm

Getting initial credentials for service/host.mit.realm@MIT_REALM
Getting credentials user@AD_REALM -> service/host.mit.realm@MIT_REALM
Getting credentials service/host.mit.realm@MIT_REALM -> krbtgt/AD_REALM@MIT_REALM
Starting with TGT for client realm: service/host.mit.realm@MIT_REALM -> krbtgt/MIT_REALM@MIT_REALM
Requesting tickets for krbtgt/AD_REALM@MIT_REALM, referrals on
TGS reply is for service/host.mit.realm@MIT_REALM -> krbtgt/AD_REALM@MIT_REALM with session key aes256-sha2/E5C5
Received creds for desired service krbtgt/AD_REALM@MIT_REALM
Get cred via TGT krbtgt/AD_REALM@MIT_REALM after requesting service\/host.mit.realm\@MIT_REALM@AD_REALM (canonicalize on)
Got cred; -1765328377/Server not found in Kerberos database

kvno: Server not found in Kerberos database while getting credentials for service/host.mit.realm@MIT_REALM

$ klist

Default principal: service/host.mit.realm@MIT_REALM

Valid starting Expires Service principal
04/12/2023 14:32:02 04/13/2023 00:32:02 krbtgt/MIT_REALM@MIT_REALM
renew until 04/19/2023 14:32:02
04/12/2023 14:32:02 04/13/2023 00:32:02 krbtgt/AD_REALM@MIT_REALM
renew until 04/19/2023 14:32:02

===============

PA-DATA pA-FOR-USER
padata-type: pA-FOR-USER (129)
padata-value: 304fa0153013a003020101a10c300a1b086a63616c6d656c73a10c1b0a4e56494449412e…
name
name-type: kRB5-NT-PRINCIPAL (1)
name-string: 1 item
KerberosString: user
realm: AD_REALM
cksum
cksumtype: cKSUMTYPE-HMAC-MD5 (-138)
checksum: d7a3ce0060dc9de668771aa397593450
auth: Kerberos
req-body
Padding: 0
kdc-options: 40810000
0... .... = reserved: False
.1.. .... = forwardable: True
..0. .... = forwarded: False
...0 .... = proxiable: False
.... 0... = proxy: False
.... .0.. = allow-postdate: False
.... ..0. = postdated: False
.... ...0 = unused7: False
1... .... = renewable: True
.0.. .... = unused9: False
..0. .... = unused10: False
...0 .... = opt-hardware-auth: False
.... 0... = unused12: False
.... .0.. = unused13: False
.... ..0. = constrained-delegation: False
.... ...1 = canonicalize: True
0... .... = request-anonymous: False
.0.. .... = unused17: False
..0. .... = unused18: False
...0 .... = unused19: False
.... 0... = unused20: False
.... .0.. = unused21: False
.... ..0. = unused22: False
.... ...0 = unused23: False
0... .... = unused24: False
.0.. .... = unused25: False
..0. .... = disable-transited-check: False
...0 .... = renewable-ok: False
.... 0... = enc-tkt-in-skey: False
.... .0.. = unused29: False
.... ..0. = renew: False
.... ...0 = validate: False
realm: AD_REALM
sname
name-type: kRB5-NT-ENTERPRISE-PRINCIPAL (10)
sname-string: 1 item
SNameString: service/host.mit.realm@MIT_REALM
till: 2023-03-31 03:38:22 (UTC)
nonce: 29027264
etype: 2 items
ENCTYPE: eTYPE-AES256-CTS-HMAC-SHA384-192 (20)
ENCTYPE: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)

Thanks,

1
server_pubkey.txt

rocksolid light 0.9.8
clearnet tor