[38485] in Kerberos

home help back first fref pref prev next nref lref last post

Constrained Delegation error "KDC policy rejects request"

daemon@ATHENA.MIT.EDU (John Byrne)
Wed Feb 6 15:49:58 2019

MIME-Version: 1.0
From: John Byrne <jhnbyrn@gmail.com>
Date: Wed, 6 Feb 2019 15:49:39 -0500
Message-ID: <CAJDs90CPe+yYGcgu4Wn2jWBgaQ07TWNXuVQ2q76vze2ktPKowQ@mail.gmail.com>
To: "kerberos@MIT.EDU" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu


I've set up a KDC using LDAP as the backend (krb5 1.15.1 on CentOS 7), and
I'm trying to perform constrained delegation. However, I'm getting this
error from the KDC when the intermediate service calls the step() function
on the security context: "KDC policy rejects request"

Here's the KDC log:

Feb 06 15:39:35 localhost.localdomain krb5kdc[13310](info): TGS_REQ (8
etypes {18 17 20 19 16 23 25 26}) NOT_ALLOWED_TO_DELEGATE:
authtime 0,  HTTP/www.example.com@EXAMPLE.COM for HTTP/
datastore.example.com@EXAMPLE.COM, KDC policy rejects request

I've set the "ok_to_auth_as_delegate" flag on the intermediate service
principal HTTP/www.example.com, using kadmin.local (output of getprinc

Is there something else I need to do to allow this?


PS. here's the output of kadmin.local getprinc command for the intermediate
service principal:

kadmin.local:  getprinc HTTP/www.example.com
Principal: HTTP/www.example.com@EXAMPLE.COM
Expiration date: [never]
Last password change: Wed Feb 06 14:58:41 EST 2019
Password expiration date: [never]
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 0 days 00:00:00
Last modified: Wed Feb 06 15:19:15 EST 2019 (root/admin@EXAMPLE.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 2
Key: vno 2, aes256-cts-hmac-sha1-96
Key: vno 2, aes128-cts-hmac-sha1-96
MKey: vno 1
Kerberos mailing list           Kerberos@mit.edu

home help back first fref pref prev next nref lref last post