[37487] in Kerberos
Re: Forwardable TGT - Windows vs MIT behavior?
daemon@ATHENA.MIT.EDU (Ray Van Dolson)
Sat Apr 23 12:48:26 2016
Date: Sat, 23 Apr 2016 09:47:59 -0700
From: Ray Van Dolson <rvandolson@esri.com>
To: kerberos@mit.edu
Message-ID: <20160423164759.GA12623@esri.com>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <20160423164147.GA12530@esri.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Sat, Apr 23, 2016 at 09:41:47AM -0700, Ray Van Dolson wrote:
> Using PuTTY from a domain-joined Windows 7 machine, with that machine's
> PuTTY stack configured to allow credential delegation and connecting to
> a RHEL7 server, also joined to AD but *not* configured in AD to be
> trusted for delegation, I do not get a TGT added to my cache when I
> connect.
>
> However, if I use MIT Kerberos on the Windows side to obtain the ticket
> and then configure PuTTY to prefer MIT over MS SPI, and connect to the
> same RHEL7 machine, I *do* get a forwarded TGT (klist -f: Flags: FfPRA)
>
> PuTTY w/ MS SSPI works *if* I go into AD and set the target server up
> to be configured for delegation trust.
>
> Can someone explain the difference in behavior? Almost feels like the
> ticket the MIT stack is providing to PuTTY is different than the MS
> stack's ticket.
>
> I also see this alluded to elsewhere[1].
>
> Thanks,
> Ray
Apologies for self-reply, but perhaps this is the reason?
http://mailman.mit.edu/pipermail/kerberos/2014-February/019500.html
Ray
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
