[38246] in Kerberos
RE: Question about TGT forwarding
daemon@ATHENA.MIT.EDU (Thomas Maslen (tmaslen))
Fri Jun 1 15:22:47 2018
From: "Thomas Maslen (tmaslen)" <Thomas.Maslen@oneidentity.com>
To: Jason Edgecombe <jwedgeco@uncc.edu>
Date: Fri, 1 Jun 2018 18:54:57 +0000
Message-ID: <D5847DD823005F4E9DB94FE77DCEDF684A8502DC@ALVMBXW01.prod.quest.corp>
Content-Language: en-AU
MIME-Version: 1.0
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="windows-1252"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On Thu, May 31, 2018 at 04:50:36PM -0400, Jason Edgecombe wrote:
[...]
> I have a disagreement with our AD guru on whether or not TGTs are expected
> to be forwarded and if that is a security risk. Everything worked fine a
> few weeks ago.
Windows' own Kerberos client code will only send a delegated TGT if the service ticket contained the OK-AS-DELEGATE flag.
If the KDC issuing the service ticket is Active Directory, it will only set the OK-AS-DELEGATE flag in the service ticket if the Active Directory object for the target of that service ticket has the UF_TRUSTED_FOR_DELEGATION flag set. In the "Active Directory Users and Computers" GUI, on the Delegation tab, choosing “Trust this user/computer for delegation to any service (Kerberos only)” enables that flag.
So one possibility, I suppose, is that a few weeks ago you were using a service account that was configured that way and now you aren't.
But if, as Ben points out, your Kerberos client code is some other Kerberos implementation then none of this may be relevant.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
