[37255] in Kerberos
Re: Constrained Delegation and PAC : Realm crossover
daemon@ATHENA.MIT.EDU (Simo Sorce)
Thu Oct 15 10:06:35 2015
To: kerberos@mit.edu
From: Simo Sorce <simo@redhat.com>
Message-ID: <561FB2DA.80402@redhat.com>
Date: Thu, 15 Oct 2015 10:06:18 -0400
MIME-Version: 1.0
In-Reply-To: <561F9556.2050100@openfortress.nl>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 15/10/15 08:00, Rick van Rein wrote:
> Hello,
>
> Does anyone on this list have S4U2Proxy or "Constrained Delegation"
> experience?
Yes
> I know that the security is based on a PAC, but it is unclear where it
> is enforced -- in the benevolent service, or in the KDC.
Can be either, however according to MS specs the KDC is vouching for the 
contents, and can (should) apply SID filtering (for example), to remove 
unwanted Identifiers, from another domain.
> And, if it is the KDC, which one if client and service realms differ?
The client's KDC produces it, the service's KDC inspects it, perhaps 
changes it and then re-signs it therefore approving its use.
> The client provides a Forwarded TGT along with the session key on it, so
> I presume it is the client's KDC who applies policy (to avoid that a
> webmail service uses more than imap and smtp backend services).
Both KDCs are involved.
> Don't worry about pointing me to specs (or sections therein) if I missed
> the hints.  Since I don't use Windows I'm already getting at this from
> the "outside", reading specs, but it's not easy to see the whole picture.
Documetns you may want to read:
MS-KILE: https://msdn.microsoft.com/en-us/library/cc233855.aspx
MS-PAC: https://msdn.microsoft.com/en-us/library/cc237917.aspx
-- 
Simo Sorce * Red Hat, Inc * New York
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos