On 02/22/2014 09:48 AM, Peter Mogensen wrote: > I noticed that the KDC doesn't copy the pre-authent flag from the client > evidence ticket to the issued ticket during S4U2proxy TGS requests. > It seems to rely on the pre-authentication status of the service > requesting the TGS req. > I couldn't find anything in the Microsoft SFU spec, about correct behaviour.
I'm not sure what's correct either. Heimdal also copies that flag from the TGT. I don't believe ticket flags are covered by AD-SIGNEDPATH, so I don't think we can be sure that they weren't modified by the requesting service. > I haven't thought through whether there should be any problems in doing > it but regardless it results in a dilemma at the target service. > Should it require preauth or not? Disabling "requires preauth" on the > target service make it work for the services using S4U2proxy, ... but on > the other hand also disables the preauth requirement for clients > accessing the target service directly. I don't recommend using the requires_preauth flag on service principals (unless you require it on every principal in the DB, which is a reasonable option in a new deployment). If we had a time machine, we would probably only give a meaning for the requires_preauth flag on client principals. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
