[16241] in Kerberos-V5-bugs
[krbdev.mit.edu #8777] S4U2Self with X.509 certificate bugs
daemon@ATHENA.MIT.EDU (Greg Hudson via RT)
Mon Jan 28 15:21:43 2019
Mail-followup-to: rt@krbdev.mit.edu
mail-copies-to: never
From: Greg Hudson via RT <rt-comment@KRBDEV-PROD-APP-1.mit.edu>
In-Reply-To: <rt-8777@krbdev.mit.edu>
Message-ID: <rt-8777-49283.8.35707871926857@krbdev.mit.edu>
To: "'AdminCc of krbdev.mit.edu Ticket #8777'":;
Date: Mon, 28 Jan 2019 15:21:22 -0500
MIME-Version: 1.0
Reply-To: rt-comment@KRBDEV-PROD-APP-1.mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu
One more issue I neglected to note:
* In the TGS part of a S4U2Self request, when multiple TGS requests are
required due to cross-realm, to be consistent with Windows clients,
only the first request should present the certificate; later requests
should present the client principal obtained from the PA-FOR-X509-USER
padata in the first TGS response.
I will also note here that, per Isaac's investigation, the Windows LSA
API will extract a UPN SAN from the client certificate and use that
enterprise principal in preference to the certificate. To do the same
we would need certificate-parsing code or an OpenSSL dependency in the
S4U2Self code.
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
