Do tickets need to be refreshed if changes are made to delegation for a service account?

[RussKahler1970]

I am curious to what is all in the ticket for Kerberos and if I have a app running that has a cached token do I need to purge then when delegation changes are done or does the ticket only contain info for the user?

[SteveSyfuhs]

For the user getting delegated or the service account? In the user case, sorta. The forward bit is set to indicate the client can delegate it's TGT to the target if unconstrained delegation is enabled. For constrained delegation, I don't recall if the bit is set.

Service account might require the forward bit, though I don't recall if that's for all cases or just the second half of the S4U call for proxy.

In either case the delegation controls shouldn't be modified regularly so it shouldn't be taxing to clear the ticket cache afterword.

---

From: RussKahler1970 @.> Sent: Tuesday, February 6, 2024 4:29:41 PM To: dotnet/Kerberos.NET @.> Cc: Subscribed @.***> Subject: [dotnet/Kerberos.NET] Do tickets need to be refreshed if changes are made to delegation for a service account? (Issue #365)

I am curious to what is all in the ticket for Kerberos and if I have a app running that has a cached token do I need to purge then when delegation changes are done or does the ticket only contain info for the user?

— Reply to this email directly, view it on GitHubhttps://github.com/dotnet/Kerberos.NET/issues/365 or unsubscribehttps://github.com/notifications/unsubscribe-auth/AAJHTYJZYEPXENOVBY25W53YSKVFNBFKMF2HI4TJMJ2XIZLTSSBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJLJONZXKZNENZQW2ZNLORUHEZLBMRPXI6LQMWBKK5TBNR2WLKJVGY2DENZSGM2TLJDOMFWWLKLIMFZV63DBMJSWZAVFOZQWY5LFUR2HE5LFURXGC3LFVZ3WC5DDNBPWCY3UNF3GS5DZVRZXKYTKMVRXIX3UPFYGLJKJONZXKZNGORXXA2LDOOJYFJDUPFYGLKTSMVYG643JORXXE6NFOZQWY5LFVA4DKNBYHEYTGOECUR2HS4DFUVUXG43VMWSXMYLMOVS2UMRRGIYTONZUHE3TPAVEOR4XAZNFNRQWEZLMUV3GC3DVMWUTKNRUGI3TEMZVGWTXI4TJM5TWK4VGMNZGKYLUMU. You are receiving this email because you are subscribed to this thread.

Triage notifications on the go with GitHub Mobile for iOShttps://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Androidhttps://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

[RussKahler1970]

The forward bit is part of the ticket? do I need to request that set or is the based on the users delegation?

[RussKahler1970]

Maybe I can provide more information. I am getting a ticket and using it on an HTTP request to a site running in IIS that is setup to require windows authentication. the ticket is used and resolves my identity and allows the request to proceed. the issue I have is that this site is setup to force impersonation which should take the identity of the request and pass it into SQL. Kerberos should handle that but for some reason my sql login is failing as its falling back to NT AUTHORITY\ANONYMOUS LOGON which is what we see when Kerberos is not passed on the double hop.

[RussKahler1970]

So the ticket I am getting to make the web request is using spn= http/[host dns] but for SQL I need MSSQLSvc/[SQL instance] do I have to do something to provide that ticket with the first ticket to the web request?

[SteveSyfuhs]

When you're making the ticket request are you also including the Negotiate delegate flag? From memory I don't recall if that's required for constrained delegation, but I'd guess yes.

---

From: RussKahler1970 @.> Sent: Wednesday, February 7, 2024 11:47:51 AM To: dotnet/Kerberos.NET @.> Cc: Comment @.>; Subscribed @.> Subject: Re: [dotnet/Kerberos.NET] Do tickets need to be refreshed if changes are made to delegation for a service account? (Issue #365)

So the ticket I am getting to make the web request is using spn= http/[host dns] but for SQL I need MSSQLSvc/[SQL instance] do I have to do something to provide that ticket with the first ticket to the web request?

— Reply to this email directly, view it on GitHubhttps://github.com/dotnet/Kerberos.NET/issues/365#issuecomment-1932569475 or unsubscribehttps://github.com/notifications/unsubscribe-auth/AAJHTYOPP35ARMRITRG4BBLYSO44PBFKMF2HI4TJMJ2XIZLTSSBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJDUOJ2WLJDOMFWWLLTXMF2GG2C7MFRXI2LWNF2HTAVFOZQWY5LFUVUXG43VMWSG4YLNMWVXI2DSMVQWIX3UPFYGLAVFOZQWY5LFVE2TMNBSG4ZDGNJVURXGC3LFVFUGC427NRQWEZLMVRZXKYTKMVRXIX3UPFYGLLCJONZXKZKDN5WW2ZLOOSTHI33QNFRXHE4CUR2HS4DFVJZGK4DPONUXI33SPGSXMYLMOVS2QOBVGQ4DSMJTHCBKI5DZOBS2K2LTON2WLJLWMFWHKZNKGIYTEMJXG42DSNZXQKSHI6LQMWSWYYLCMVWKK5TBNR2WLKJVGY2DENZSGM2TLJ3UOJUWOZ3FOKTGG4TFMF2GK. You are receiving this email because you commented on the thread.

Triage notifications on the go with GitHub Mobile for iOShttps://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Androidhttps://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

[RussKahler1970]

how do I include this flag ( Negotiate delegate flag) to get GetServiceTiicket method? I don't see a setting for that? or in the Configuration on the client.

Thanks for your help?

[RussKahler1970]

I am a bit lost on how to request a delegable ticket. should I be requesting a different ticket type? When I login with an app that does connect properly I see these flags on my ticket. that is what I need to make my ticket work. How do I request or get those flags set on my ticket? Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize

[RussKahler1970]

I think I need to set the flag OkAsDelegate but I cannot figure out how to set that on the client.

[RussKahler1970]

I am stuck at this point. I cannot generate a ticket that is delegable and could use some help if someone has some example or ideas as to what to do.

[SteveSyfuhs]

There's a command in the Bruce tool that shows how this works: https://github.com/dotnet/Kerberos.NET/blob/3fd93b8f9628b611ed30fca422e533f3ee10c60f/Bruce/CommandLine/KerberosConstrainedDelegationCommand.cs

You can also set the Forwardable bit on the request itself:

client.KdcOptions |= KdcOptions.Forwardable;

[RussKahler1970]

Not sure what is going wrong. I am still not getting the kerberos to delegate through to my sql login.
Here is how I am creating my client.

var clientArgs = new Krb5Config(); clientArgs.Defaults.Forwardable = true; clientArgs.Defaults.EnforceOkAsDelegate = true; clientArgs.Defaults.DnsLookupKdc = true; clientArgs.Defaults.AllowWeakCrypto = true; clientArgs.Defaults.KdcDefaultOptions |= KdcOptions.RenewableOk | KdcOptions.Forwardable; _kClient = new KerberosClient(clientArgs, LoggerFactory);

Here is how I am requesting my ticket. var args = new RequestServiceTicket { ServicePrincipalName = spn, CacheTicket = true

       };                     
       args.KdcOptions |= KdcOptions.Forwardable;
       var session = await KClient.GetServiceTicket(args).ConfigureAwait(false);

       return session.ApReq;

Then I add to my httpclient header with. client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Negotiate", Convert.ToBase64String(ticket.EncodeGssApi().ToArray()));

using my logging on the server its says my identity in IIS is [domiain][service account] but when it tries to connect to SQL it tells me that Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'

The same site if I connect with another app we use, connects and passes identity correctly with the Kerberos identity showing up as the user in SQL session.

I looked at the bruce command line file but that seems to be loading the krb5.conf so its not clear what I should all set in both create client and when I am getting the ticket.

Any help would be greatly apricated .

[RussKahler1970]

Also note my service account has delegation setup to allow delegation to any service.

[SteveSyfuhs]

You might try setting

args.ApOptions |= ApOptions.MutualRequired;
// OR
args.GssContextFlags |= GssContextEstablishmentFlag.GSS_C_DELEG_FLAG;

I vaguely recall we enforce some things with mutual auth so that might be a requirement. The deleg flag isn't technically right, but I don't have the Windows behaviors in front of me at the moment to verify.

[RussKahler1970]

I tried args.ApOptions |= ApOptions.MutualRequired; and no different still not delegating the identity.

I tried args.GssContextFlags |= GssContextEstablishmentFlag.GSS_C_DELEG_FLAG; and the web site requiring windows authentication fails with a 401 error.

[RussKahler1970]

Any other thoughts on how to get the ticket to authenticate through delegation? I am a bit stuck at this point.

[SteveSyfuhs]

I don't have any specific ideas why it's not working. I'd need to see more data unfortunately. Clearly there is a difference between working and non-working requests but I don't know what. It's almost certainly something small like a flag.

You could diff the two through a tool like the Bruce Decode utility. That would dump out the structures and could be compared. Downside is that you need the secret of the target server.

---

From: RussKahler1970 @.> Sent: Tuesday, February 13, 2024 5:53:55 AM To: dotnet/Kerberos.NET @.> Cc: Comment @.>; Subscribed @.> Subject: Re: [dotnet/Kerberos.NET] Do tickets need to be refreshed if changes are made to delegation for a service account? (Issue #365)

Any other thoughts on how to get the ticket to authenticate through delegation? I am a bit stuck at this point.

— Reply to this email directly, view it on GitHubhttps://github.com/dotnet/Kerberos.NET/issues/365#issuecomment-1941569927 or unsubscribehttps://github.com/notifications/unsubscribe-auth/AAJHTYJEVTL42AIUS2OC7FDYTNV7HBFKMF2HI4TJMJ2XIZLTSSBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJDUOJ2WLJDOMFWWLLTXMF2GG2C7MFRXI2LWNF2HTAVFOZQWY5LFUVUXG43VMWSG4YLNMWVXI2DSMVQWIX3UPFYGLAVFOZQWY5LFVE2TMNBSG4ZDGNJVURXGC3LFVFUGC427NRQWEZLMVRZXKYTKMVRXIX3UPFYGLLCJONZXKZKDN5WW2ZLOOSTHI33QNFRXHE4CUR2HS4DFVJZGK4DPONUXI33SPGSXMYLMOVS2QOBVGQ4DSMJTHCBKI5DZOBS2K2LTON2WLJLWMFWHKZNKGIYTEMJXG42DSNZXQKSHI6LQMWSWYYLCMVWKK5TBNR2WLKJVGY2DENZSGM2TLJ3UOJUWOZ3FOKTGG4TFMF2GK. You are receiving this email because you commented on the thread.

Triage notifications on the go with GitHub Mobile for iOShttps://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Androidhttps://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

[RussKahler1970]

How do I get the secret from the server? I have access to all of them.

[RussKahler1970]

this is the event viewer error I am getting. A Kerberos error message was received: on logon session Client Time: Server Time: 22:59:16.0000 2/13/2024 Z Error Code: 0xd KDC_ERR_BADOPTION Extended Error: 0xc000006e KLIN(0) Client Realm: Client Name: Server Realm: SALELYTICS.LOCAL Server Name: MSSQLSvc/sqlg1t.salelytics.local:1433 Target Name: MSSQLSvc/sqlg1t.salelytics.local:1433@SALELYTICS.LOCAL Error Text: File: onecore\ds\security\protocols\kerberos\client2\kerbtick.cxx Line: 128c Error Data is in record data.

[RussKahler1970]

this is what the ticket I am getting looks like in the decoder.

[SteveSyfuhs]

Unfortunately the thing to check is in the EncryptedPart which requires the service account password. Unfortunately I can't tell you how to get that password, though there are ways. Worst case you can run the bruce tool on that server as SYSTEM.

The error you posted above is certainly interesting. That is indicating the USER_NOT_DELEGATED flag is set on the user account, which presents as the forwardable flag not set on the ticket.

The other question is whether the user is from another forest. The library doesn't support it when acting as the middlebox, but it should support it as the client.

[RussKahler1970]

Thanks for the info. Which server would have have to run the bruce tool on? the server I am running as the client (web server ) that is making the call to get the ticket or do I need to run it on the server trying to parse the ticket. I have access to all of them. I am currently using my own account and that account is delegatable. I have another app that uses this site and my account connected to that app works fine and delegates to SQL.

I will see if I can get more info. If I provided you a serialized token can you decode it?

THanks for all your help on this.

Russ

On Tue, Feb 13, 2024 at 7:32 PM Steve Syfuhs @.***> wrote:

Unfortunately the thing to check is in the EncryptedPart which requires the service account password. Unfortunately I can't tell you how to get that password, though there are ways. Worst case you can run the bruce tool on that server as SYSTEM.

The error you posted above is certainly interesting. That is indicating the USER_NOT_DELEGATED flag is set on the user account, which presents as the forwardable flag not set on the ticket.

The other question is whether the user is from another forest. The library doesn't support it when acting as the middlebox, but it should support it as the client.

— Reply to this email directly, view it on GitHub https://github.com/dotnet/Kerberos.NET/issues/365#issuecomment-1942951182, or unsubscribe https://github.com/notifications/unsubscribe-auth/AR2QYLHHLDLUEWIFE5LDX63YTQH3TAVCNFSM6AAAAABC4ZGCUSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNBSHE2TCMJYGI . You are receiving this because you authored the thread.Message ID: @.***>

[RussKahler1970]

Is there anyway using the client that got the ticket to decode it?

[RussKahler1970]

I stepped into getting the service ticket. I think its all right there. So I assume the ticket is right. could it be in the GSS encoding where something is going wrong? is there a way to decode the encrypted part of that ticket?

[RussKahler1970]

running the decode app from the solution provides more details. not sure if this helps. I don't see Ticket Flags here yet, is that still encrypted in the other parts?

[RussKahler1970]

Not sue how to move forward. I am using an account that connects with Kerberos to the same site and works to delegate through to SQL so it seems to me it has to be an issue with the ticket/token. From above ticket seems to have the flags set so it seems to be an issue with the encoding. Any help or ideas would be great. I am stuck at this point. I guess some help decoding the ticket might help. if I could see that the ticket was ok to delegate. then I might be able to consider other factors.

[RussKahler1970]

I bit more information. if I use my personal account it fails unless our other client app using the same site has recently used sql access that is using the same impersonation. I assume either the server is maintaining a ticket it its cache and that is why it worked. Anyway please let me know if there is more I can provide. the ticket I am getting/sending in the httpclient request is not working with delegation but the user is valid to delegate and the server and sql are all working with impersonation and delegation. Not sure if there is anything else we can do.

[RussKahler1970]

Turns out I had and spn issue in our domain so it was not able to delegate the ticket through. I have since resolved that and all is working fine. I am going to close this issue.

[RussKahler1970]

Issue was an spn issue not a ticket generation issue.