Hi, I noticed that the KDC doesn't copy the pre-authent flag from the client evidence ticket to the issued ticket during S4U2proxy TGS requests. It seems to rely on the pre-authentication status of the service requesting the TGS req. I couldn't find anything in the Microsoft SFU spec, about correct behaviour.
I haven't thought through whether there should be any problems in doing it but regardless it results in a dilemma at the target service. Should it require preauth or not? Disabling "requires preauth" on the target service make it work for the services using S4U2proxy, ... but on the other hand also disables the preauth requirement for clients accessing the target service directly. regards, /Peter PS: Nobody answered this question about cross realm S4U2proxy, so I'll take the opportunity to mention it again: http://mailman.mit.edu/pipermail/kerberos/2014-January/019438.html ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
