[prev in list] [next in list] [prev in thread] [next in thread] 

List:       krbdev
Subject:    Re: [External] : Re: Windows Credential Guard with MSLSA
From:       Seshan Parameswaran <seshan.parameswaran () oracle ! com>
Date:       2023-10-11 22:46:39
Message-ID: BYAPR10MB3479518436C84B6976625D0A9DCCA () BYAPR10MB3479 ! namprd10 ! prod ! outlook ! com
[Download RAW message or body]

Hi
I have a follow up question on the client doesn=92t forward the TGT.  If I =
set the user account on the AD directory host to support delegation, the cl=
ient would send a forwardable TGT to the server.  The server then can use t=
hat TGT to obtain its own TGT and follow the rest of the steps as detailed =
below.  Please let me know if that is a possibility.

Thanks

Seshan

From: krbdev <krbdev-bounces@mit.edu> on behalf of Ken Hornstein via krbdev=
 <krbdev@mit.edu>
Date: Thursday, September 7, 2023 at 10:30 AM
To: Alexander Bokovoy <abokovoy@redhat.com>
Cc: krbdev@mit.edu <krbdev@mit.edu>
Subject: Re: [External] : Re: Windows Credential Guard with MSLSA
>A sample implementation of S4U operations using raw Kerberos 5 API can
>be found in kvno utility source code.

I did see that!  But it is a little unclear to me how exactly that
works in an application server.

Hm, it is entirely possible I am overthinking it a bit; it seems
like the "normal" case is you just use the regular service ticket as
the evidence ticket.  So I guess that would look like:

- The client is unchanged (well, they don't foward a TGT)
- The application server gets a TGT for itself using it's own service key
  (tons of ways doing that) and places that in a credential cache.
- The application server takes the decrypted ticket from krb5_rd_req()
  (or the equivalent) and calls krb5_get_credentials_for_proxy() to
  perform the S4U2Proxy request.  Sadly, krb5_get_credentials_for_proxy()
  is not in the public krb5.h header file.  Sigh.

--Ken
_______________________________________________
krbdev mailing list             krbdev@mit.edu
https://urldefense.com/v3/__https://mailman.mit.edu/mailman/listinfo/krbdev=
__;!!ACWV5N9M2RV99hQ!OvZ8qr5KJ7Ep8DEPqLkUP0d6l4CrLPfpnBV53PovnoboTFwdu2r270=
M1c6NTxpMqVgG4gEFvNjyAFH7nNu441w$<https://urldefense.com/v3/__https:/mailma=
n.mit.edu/mailman/listinfo/krbdev__;!!ACWV5N9M2RV99hQ!OvZ8qr5KJ7Ep8DEPqLkUP=
0d6l4CrLPfpnBV53PovnoboTFwdu2r270M1c6NTxpMqVgG4gEFvNjyAFH7nNu441w$>
_______________________________________________
krbdev mailing list             krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic