You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Your project is about "delegation with protocol transition", but my question about "delegation without protocol transition", sorry for that, hope you would answer.
In my test env I am controlling both client's and service's sides. There are: client, service A, service B. For service A I configured "Kerberos only" delegation and add service B as allowed to delegate to. On client I am making AP-REQ to service A via InitializeSecurityContext(...ISC_REQ_MUTUAL_AUTH | ISC_REQ_DELEGATE...). On service A I can successfully accept the security context via AcceptSecurityContext. Then on service A side I am impersonating client via ImpersonateSecurityContext. I am impersonating not in a separate thread, but in scope of main process. So, after the impersonation I can see the service ticket from client to the service A with FORWARDABLE flag. Thus I assume that when I call InitializeSecurityContext(...ISC_REQ_MUTUAL_AUTH | ISC_REQ_DELEGATE...) the system would use that particular service ticket from client which the system already has. But instead the system is making S4U2Self request for client, and KDC response with ticket without FORWARDABLE flag, of course. And then, when system is making TGS-REQ it uses the S4U2Self ticket. As a result, I have error with code 13 (bad option) and STATUS_ACCOUNT_RESTRICTION. Again - the service A configured with "Kerberos only" delegation variant. There are no RBCD configured on service B. The client is not in "Protected Users".
Please clarify the situation, I do not know other person which could explain it better than you, Steve. Thank you in advance!
The text was updated successfully, but these errors were encountered:
Your project is about "delegation with protocol transition", but my question about "delegation without protocol transition", sorry for that, hope you would answer.
In my test env I am controlling both client's and service's sides. There are: client, service A, service B. For service A I configured "Kerberos only" delegation and add service B as allowed to delegate to. On client I am making AP-REQ to service A via
InitializeSecurityContext(...ISC_REQ_MUTUAL_AUTH | ISC_REQ_DELEGATE...). On service A I can successfully accept the security context viaAcceptSecurityContext. Then on service A side I am impersonating client viaImpersonateSecurityContext. I am impersonating not in a separate thread, but in scope of main process. So, after the impersonation I can see the service ticket from client to the service A with FORWARDABLE flag. Thus I assume that when I callInitializeSecurityContext(...ISC_REQ_MUTUAL_AUTH | ISC_REQ_DELEGATE...)the system would use that particular service ticket from client which the system already has. But instead the system is making S4U2Self request for client, and KDC response with ticket without FORWARDABLE flag, of course. And then, when system is making TGS-REQ it uses the S4U2Self ticket. As a result, I have error with code 13 (bad option) and STATUS_ACCOUNT_RESTRICTION. Again - the service A configured with "Kerberos only" delegation variant. There are no RBCD configured on service B. The client is not in "Protected Users".Please clarify the situation, I do not know other person which could explain it better than you, Steve. Thank you in advance!
The text was updated successfully, but these errors were encountered: