I was wondering whether this library supports Kerberos Unconstrained delegation.
With GSSAPI unconstrained delegate works by requesting a forwardable TGT from the KDC (kinit -f username@REALM.COM). This forwardable ticket can then be delegated to the host by passing in the GSS_C_DELEG_FLAG flag with gss_init_sec_context. There's also the GSS_C_DELEG_POLICY_FLAG which is like GSS_C_DELEG_FLAG but it will instead only delegate if the ok-as-delegate flag is set on the account in AD.
On SSPI it will attempt to get a forwardable ticket when InitializeSecurityContext has been used with the ISC_REQ_DELEGATE flag. This is like the GSS_C_DELEG_FLAG in that it will only get a delegated ticket if the ok-as-delegate flag is set in AD. AFAIK there's no way in SSPI to get a delegate ticket if the account isn't trusted for unconstrained delegation.
What this looks like in practice is that when you authenticate to a host without a delegatable ticket you see the following from klist
Notice that the forwarded ticket flag is set for a delegated scenario which allows Windows to reuse that Kerberos ticket for any further network hops. Say connecting to an SMB share can now re-use those credentials.
So ultimately my questions are:
Does this library support the ISC_REQ_DELEGATE flag in that it will get a service ticket the remote host can forward as needed
If so, does it do it unilaterally or does it honour the ok-as-delegate setting set on the account in question
I was wondering whether this library supports Kerberos Unconstrained delegation.
With GSSAPI unconstrained delegate works by requesting a forwardable TGT from the KDC (
kinit -f username@REALM.COM
). This forwardable ticket can then be delegated to the host by passing in theGSS_C_DELEG_FLAG
flag withgss_init_sec_context
. There's also theGSS_C_DELEG_POLICY_FLAG
which is likeGSS_C_DELEG_FLAG
but it will instead only delegate if theok-as-delegate
flag is set on the account in AD.On SSPI it will attempt to get a forwardable ticket when
InitializeSecurityContext
has been used with theISC_REQ_DELEGATE
flag. This is like theGSS_C_DELEG_FLAG
in that it will only get a delegated ticket if theok-as-delegate
flag is set in AD. AFAIK there's no way in SSPI to get a delegate ticket if the account isn't trusted for unconstrained delegation.What this looks like in practice is that when you authenticate to a host without a delegatable ticket you see the following from
klist
When you authenticate with a delegatable ticket you see the following
Notice that the
forwarded
ticket flag is set for a delegated scenario which allows Windows to reuse that Kerberos ticket for any further network hops. Say connecting to an SMB share can now re-use those credentials.So ultimately my questions are:
ISC_REQ_DELEGATE
flag in that it will get a service ticket the remote host can forward as neededok-as-delegate
setting set on the account in question