Rocksolid Light

Welcome to RetroBBS

mail  files  register  newsreader  groups  login

Message-ID:  

Many Myths are based on truth -- Spock, "The Way to Eden", stardate 5832.3

devel / comp.protocols.kerberos / Re: Cross-realm S4U2Self with AD trust

SubjectAuthor
o Re: Cross-realm S4U2Self with AD trustJonathan Calmels

1
Re: Cross-realm S4U2Self with AD trust

<mailman.60.1682143366.1964.kerberos@mit.edu>

  copy mid

https://www.rocksolidbbs.com/devel/article-flat.php?id=343&group=comp.protocols.kerberos#343

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: jcalmels@nvidia.com (Jonathan Calmels)
Newsgroups: comp.protocols.kerberos
Subject: Re: Cross-realm S4U2Self with AD trust
Date: Sat, 22 Apr 2023 05:03:43 +0000
Organization: TNet Consulting
Lines: 128
Message-ID: <mailman.60.1682143366.1964.kerberos@mit.edu>
References: <BYAPR12MB28886748C59BFA5E09088C89BB989@BYAPR12MB2888.namprd12.prod.outlook.com>
<BYAPR12MB288840FFCFB4B7EC125E8827BB619@BYAPR12MB2888.namprd12.prod.outlook.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="14693"; mail-complaints-to="newsmaster@tnetconsulting.net"
To: "kerberos@mit.edu" <kerberos@mit.edu>
ARC-Seal: i=3; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=pass;
b=K/pKSPJKdasSBHGVGMObbtbda/kVNDZI3QUMNoehm7drhpELFWHHbVl8+pq2PAqEZPO4Gk7FkY4shUkmm9NbnBNrmypzKZa23se/Sv44I+3g8sGQmISGN2Y+xBEf9L3H/K9VZUtmogrgBSylf69JLVn1v3aU0rwLjJcVQ/Kjnsl4IFBBgiTD7bPFe7MuX+Ydwi4BrUvD+PJaBzDwsSebbSlqW9IhCtyRoRT3DDcv/ObUq61v9zO6poHhBZ6QHo8Fjuo2sTtcBrbWEAl3mDXTq30nRkeMaIm4YAVv7U+ikCwUZS+l9z589J6h9oLi7qLdk3ZK8oVe2/1IfF6RNvJ9NQ==
ARC-Message-Signature: i=3; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=ErYL6ISsUYCci2WTP4BQuaJQ3tMlVW0di9Aq8kA+33Q=;
b=f/uON51LLhqkOD1zjKiq205AFVfSHvOcthg7tmHYTEjA8Rob1KAqtKHls1JHapN21g/qS9gm6MmBam1bC2vSewQ2v58OJB4WL0ZQ4cs28PVILyu0bxpHI4yeDF4Nj9LNFMvQSXjehtDH68unQ52ikZEbxU9ct08+y4xz5G7rFjFdpgZYFp9DEQwLk1lkDkLNGPNhEbSqQd+zbiA6qcS/wMRI+UHvFHzxxNH/lvTAN0Zloyt8ABMtmAYKpZyYClAhKwm/stmE2EwbVc1o4RB1rufvQmjHNYHJNlKmyFlBqmSY49Q0fWioHmnuoFhi6pLOccEqnZZZL60m6md31Eg7fQ==
ARC-Authentication-Results: i=3; mx.microsoft.com 1; spf=pass (sender ip is
40.107.236.40) smtp.rcpttodomain=mit.edu smtp.mailfrom=nvidia.com; dmarc=pass
(p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=pass
(signature was verified) header.d=nvidia.com; arc=pass (0 oda=1 ltdi=1
spf=[1,1,smtp.mailfrom=nvidia.com] dkim=[1,1,header.d=nvidia.com]
dmarc=[1,1,header.from=nvidia.com])
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=ErYL6ISsUYCci2WTP4BQuaJQ3tMlVW0di9Aq8kA+33Q=;
b=trwfoYUJ8JHN8bUsaagY1dwOC96+3nvxEUAdbmw4e1fTS2kbqLYizv6SnZUBWSKX2fkQYRXJeoJl7GmYBYNjVd+PJGx8GKGCGYmNuYHo4bVklZy8iL+sai42n9xp04ZI/Fg75fYoL0aspmMKEFvvLtynZ90j7GhWEL7Ka5GYsiw=
ARC-Seal: i=2; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=pass;
b=n65ulezBoa5lnUSwSCM8He65jyWjeUChL1IzDqbqJf3ateGvtwdenVzIXqFrxXMFlfL7qr2K8tNNfWjfGtoD4xnPKUf0VGo1V5sIOH0LJ0ZrR4ap94+fJad04hAQzbBij59i8f7G7wKLyc5F71om6jPRLlKKGK5BP/IUdlszGcwd8P18tF8X2k/CTOUVyVyN+swAGd0fpCnf6kD7wxLSD8/ICHSzo3FISaLGM7bHilzGpwf7hn17kshUbqhs2D9iOm+VtrmHv7z1hqkzCO3g8nQCom+/Ck7m8Abe3/Uo7/MFjdI9TPl+0QfMck9Ciwbnt/mQ8akTHZni3JrNE5M9PA==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=ErYL6ISsUYCci2WTP4BQuaJQ3tMlVW0di9Aq8kA+33Q=;
b=cHJuNY19n819z0+UGMnv1bnz6JmzJweefx4GOOC+hqG1JTFUjJjYOcc00vn0EAZZGw1kQOzEMNdTPfMsG0QAE7oSDyFt1T11U86hKs33lZPGrcmox0JuVvgxwspECFaQsq2EaKa8pnt9OAXE4Q6RlExdNYQP6X0VblTIQ2KWyhGHiKICZYGADBuD8SNreR14uPvD0ax6Pp+nBI8VbK9KB5F+j4R+w7OBDXwkzG+D0N5Ai62FdVDUmE0P2Znm12GGnSU76xnWNaHN8+QJ+kA8Wii3oVYZEWsofpld/38FulZ9HDggEfUYVCY+yb3oGxs1wRtdRTq2VLakQfp0262GIw==
ARC-Authentication-Results: i=2; mx.microsoft.com 1; spf=pass (sender ip is
40.107.236.40) smtp.rcpttodomain=mit.edu smtp.mailfrom=nvidia.com; dmarc=pass
(p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=pass
(signature was verified) header.d=nvidia.com; arc=pass (0 oda=1 ltdi=1
spf=[1,1,smtp.mailfrom=nvidia.com] dkim=[1,1,header.d=nvidia.com]
dmarc=[1,1,header.from=nvidia.com])
Authentication-Results: spf=pass (sender IP is 40.107.236.40)
smtp.mailfrom=nvidia.com; dkim=pass (signature was verified)
header.d=Nvidia.com;dmarc=pass action=none header.from=nvidia.com;
Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates
40.107.236.40 as permitted sender) receiver=protection.outlook.com;
client-ip=40.107.236.40; helo=NAM11-BN8-obe.outbound.protection.outlook.com;
pr=C
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=GldiAK3+wd8p5BeLVI/0J/cOHMC1lT9dV7/va592cFg0twNf8cMKtUVazCADhsD/b/t529F4L4rNgo4ohcSfefrYzPt5CWEKxIaOqkh52jUR78/elV1CuidDra4Pp52ObUkgHxvg57iEqHDaVPo7snQbgEL+uCi/6uTsjcfHQYhhF0QMGbG4gx9zmQ7c6P8oz2KL+qt+odfqhMmEOmsA6OL7bsG4UExIQOKQeeyPgACxMRphN8nwPFGTmIb+3XD6fJGOJm34+g6xoiRqOXzi6LdFF8g27Vp6DJKBbIDA6cFOHnGs8TQrIednf0f1LLQa8g07YgJDSHPRX7R6nXf+Kw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=ErYL6ISsUYCci2WTP4BQuaJQ3tMlVW0di9Aq8kA+33Q=;
b=l0M/PjTSkqXesApr8lvI1ZpCOolq1ge+qoy1OPSEFyP05+2jhw35YuJITqnX+iYuF5o/lx/wkxfqib/R4K6e8Fl4xaSoKwYSV3gqYVqYQO4YkS9qny5/BMMnjLuDT6o0m3ayYxdDw3SMul2Z3FOyo+TiyvFHTHpHqVC5hpv6Djr8XwCYZb9meifF5cAzgu5I1hAYyd8ELxO9aGu8ENOmB7QTZwbFIPVlU01jWtULz+dEjdkPfuXAizM6FEfyE3mH1ycSRcogyoRr6byuRh9wCGYK6NOZ4LTaOpW3q5lSWBbnzfm2yDIxEoPEMYF+zMTeSS4+Dv9Lls5K9+DYvIaGxQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
smtp.mailfrom=nvidia.com; dmarc=pass action=none header.from=nvidia.com;
dkim=pass header.d=nvidia.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com;
s=selector2;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=ErYL6ISsUYCci2WTP4BQuaJQ3tMlVW0di9Aq8kA+33Q=;
b=eqxxEAQML8Pox0pGay6Pge6exYtvB4/YPSwxFbGvo45sZRcT5Msy/N5f0HzXUoFtpwnVCTkb/ty9TEzpjncW4OZzPhYor28vWuDIovbyEU/u8wUFAFW8mA/D1dpvnZwsmWmdAFLlR338gs1Yx0FZtNkSXe3GBIgvi50TOLalmNC2iclRlPQfBhl+NA8PAQevtR6tlUxE/AN2JoK2Kq8td34mEEK2dCpGHQNzpmiq2eq8uqp1wZucPWl2XNFH6sBLOALslZbfBp4MIgr3grSj9+9CFtm+dlgSvaAAqPyp5kvC8FfaXK5OcVYH7/EJusv1RIAcGSHXergPWnCEo1rhWw==
Thread-Topic: Cross-realm S4U2Self with AD trust
Thread-Index: AQHZbkuYkbFmkBeYD0OyWDg5a7KEkK820BJL
In-Reply-To: <BYAPR12MB28886748C59BFA5E09088C89BB989@BYAPR12MB2888.namprd12.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
Authentication-Results-Original: dkim=none (message not signed)
header.d=none;dmarc=none action=none header.from=nvidia.com;
x-ms-traffictypediagnostic: BYAPR12MB2888:EE_|MW3PR12MB4571:EE_|DS1PEPF0000E643:EE_|BYAPR01MB3815:EE_
X-MS-Office365-Filtering-Correlation-Id: 864ab091-c349-4269-7792-08db42eef4ea
x-ms-exchange-senderadcheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: WLg4ZTWiiVLHsPOTRmxH1kd9KlOeX4RmysqlcPU2asJ1QT4Z6mFc9+DPxv5Mo1IRbnaW7BYg0hW1O4uSk3pl3kv7fNe26czGOT/K3szYXNCFvxOL1qw/iZWSucHcckOk93h60mvtdJI9WfmQTbkwO9gi/8fxDhsrcy1C+QMkyiWCoDeMbpOYv4lBNUFewzf7ELxBNzeIr9SIuvv4L66pIHeYnHlLJfBKcqe5tsVAaupSgW65Faxa5wTiM4qwMVIQfruSjDlEQWU3qlp+39gWnxAny7pZByS9rlqZMAf21XHBpG3y6pNww0QY/YkYEG50tHUjCUzDX+VmPlKCVHzGJdhGErazcgM9bx4Pu0P7/kmZCkEVtcKiW63nOvpEvpbGXllH+fao+AhnFp7oQ5+X4nJDzO8DvVdkbTUJQlaJ0EDAbe2fCu2290Nd/Ttkx5RShXtbThEy1lB1F2NOd9wCuz2MnYmSojy8hZ1z/ohyAl3rL8P6kW2JNT6OwgocHwrlZb6UItU1SmED1Eg+BjO6Rj4pO27hSJwtNDs7Ui/tPJlRnum0t/MCmEI0SFdo5p8l3/bYCMnQZk/iO89HU3V//GawNQLcI8igYkRZY7c2W64=
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en;
SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BYAPR12MB2888.namprd12.prod.outlook.com;
PTR:; CAT:NONE;
SFS:(13230028)(4636009)(39860400002)(396003)(376002)(136003)(346002)(366004)(451199021)(33656002)(38070700005)(86362001)(2906002)(19627405001)(186003)(71200400001)(55016003)(9686003)(7696005)(53546011)(83380400001)(6506007)(966005)(66556008)(478600001)(66476007)(76116006)(66446008)(6916009)(52536014)(8936002)(38100700002)(64756008)(122000001)(166002)(316002)(66946007)(41300700001)(5660300002)(8676002);
DIR:OUT; SFP:1101;
X-MS-Exchange-AntiSpam-MessageData-Original-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-Original-0: S3iHwbxMpqZFc9Zi4w4EuF/HJKLr7VUG4PU4YUQz6NiIbz2CZaAa1Jhl
a9E6BmNM+gWDS/ZKiE+8+wcB8sSJibbaRdXG1A9YKP8xVMniTWN5DCzC
BXfFBHK6vPLvKSe/WNdR/Ju58sFoAPr8Nx5hyBoGdTwYawaMR+LE7BVH
yC6CPeXoZ87iZblk2HQDZFnUKnu8pGm1laFitGaZpg7e7NrqFu7BaNwZ
G/mCDTEF19JkBmaBN1U0A4ujuWpGOb/t5FYGNdae2D9IH4VAT2ySQIJk
pSciahO+YEHj3J1FQXZ7hHa/JfWxoPmShDnhkU3IO8rjEL6ATpYeGY+a
ULNYKlnpHgTGGWRpoY4I5CzQH0RJyaZ4JYNVY+XzKvp1llyeSNjXzn0K
DWScqv+UVrfwtJiE32NX6UPLDkC5pezthBfVr0Ok74o5FapYlv0Elodr
EHfAUshobSNRjIMbcNwNga2UYHTADTo3bjpJag2Nyngr+4JM9GJ3vxC5
7kZRhuQHmajyaOhenWfpOMNOlO4RO2YBN7D0yQa/xf+86N9MtoNeflcM
PzXrFWTbiBftnNLAbzT4bxx9iC6Th2aNa+EGG4EdtUs8ogTB+Yz0t0uN
gYGvkNX6j23Lx9xoLsUR9/IshwDI8Rk0RZVWr9oGPkCxQN7aPhzXcdYr
q6vLK3wxCfIieJdKio91vDjgJisEWL4TLuZIFbSgOiXGPdu9ceaQ7VNf
5GqP5trC/Kt5hQdSquYbPb9hbbKOSm2X091tFAGINi+XZ859V6aj1uNl
Xtwr0J1l4YfuHIiM2K8ztw9ftyamEibaxp6UmOrbTGfe3WI8dKOGDARB
dRR5bbF505aXeKrKhypuXTwI2WMRrUBd5p2g5gpI7kQ8AJ6+EdoI5Hic
iudIT+qYGIU1puNjU9Nl6mFG+hIDZYz2H11GKopp/yvd5uFY5uJEbcW+
z/kif/oBNeF8eMl/7WKvUyfsMB/J36TJfjxetIgesRx5K3AHl6hN2vsl
f+8C+rimG3Fs59EY5SESlh0D/H0JBBWIM8SA+vIwdScRL+6zKq8ue7qL
DgxjaMEhlMS9Hm4lbF4Fb02pvS3NYaXX1rLdt1KkDp9kngQvL74FG7nY
E0Kc6fgFVoE4P30zyvUvOwJzUIxazt6S4QUZnSYCP3bYhWecwJySUEJi
VHVQHtiiiQEJXrr5qZBkriWRe1+Tt7jxAxnfC7uVN1qg1YHo7kWEF9mH
fWqU1IHx4BI9aH0Sbpl92YayoqGGI4pZiSd6qCPMRNw7IiJCy2OJLssp
RB3gr46WAOMtcS/9Vqw7CWZFYXVIrJWdewr3WSle36hvN8u/ShFAgxZy
GM5tYve9nDi2F4BP++zNNEKgZQ72Y98d8grw+HXK95lZxHgsAPn/HgyX
BNjPLOWJQLUvgp2wgX2m9NnKkeh3Pu9LAur54E+IQ1I6HdOMRSKuqV6a
y0rgqzOckEcoZQrZMEMLjWoKGQru+CW3BxujAsv+WFP7U2IdrBUwHdDT
3H9ZM9N8wQ5eg1zGM37scNLG2q2HB5f4M3ycz6MnJTVCOSKA8V4gYPhk
MKO6SpEeU/XllxfyVypmZ+wRcpVr5KXBAoQeCnCPquzXuPNr1x5mwQVz
8qHciFg5ZC6pI7dPm3A4BaIWYX9ws+ZL3g6XOUqU
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW3PR12MB4571
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: DS1PEPF0000E643.namprd02.prod.outlook.com
X-MS-Exchange-Transport-CrossTenantHeadersPromoted: DS1PEPF0000E643.namprd02.prod.outlook.com
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id-Prvs: 1cfc07b0-4624-457f-73ee-08db42eef211
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: NE9/8sPbDsYdvIztMSkz1S/GTJNmvxDTwKLIKVHTgHoxJffE1m6D2TnfXIJcVEsp4PNSf+ctHOM2LM/w2kPqqDCaGuCp86HKxKvbjfAEBqHcuA/SUXBQh0OeaqeLI4R241d8MVUGTrjHqz0mzJJf7aZghLFgjlLtKaGZOzoXK1QeQN8zw3zbMO+rYmJ9QA8tnVUtht1tWi4+2fnVilgQlVPUZzfy7OQpISBdyYQgmS8cqWDpXkgpeI2RlXwyBIJrNPS4YrIcWTKbHBxdj3QwcmR86ZOPufhQERstUG5Oyh3lXtrj3eb6o1q3Qcfj6N7HuJsSkDfPp5GzjlCAWhdpJczUO18YHuMMm9RnEO8uM59fiE47xowZ3p/v2l0K6M1FHK+JPIsyEUSB//PjhEffyhxMNKLEEuFXEUX7Z2cOYNuHE8IRishwrIa1tjJA4ivfgcDtlIgqm1LyjKnjt2COl4qnB7OeoxvDbek87XpJNei5ZBV+CRLtmer03VsFpmXY2xEW/ajv4MK46vR+x2kzyMQn13luqXbxCwLv820dlPudKZUhjHof2E6nKVeluLoF5zzFTEHwfJlWTOY0dYf9VLChErC2bDHTpThnEhlA+77/S4ZLv+RvrUFoN1pSB6SL2ywJskoRb6JIpp6ubwR8Mw==
X-Forefront-Antispam-Report: CIP:40.107.236.40; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:NAM11-BN8-obe.outbound.protection.outlook.com;
PTR:mail-bn8nam11on2040.outbound.protection.outlook.com; CAT:NONE;
SFS:(13230028)(4636009)(396003)(376002)(136003)(346002)(39860400002)(451199021)(316002)(786003)(966005)(68406010)(70586007)(7696005)(86362001)(498600001)(6862004)(55016003)(5660300002)(8676002)(7636003)(356005)(52536014)(2906002)(33656002)(83280400002)(166002)(83310400002)(83300400002)(83320400002)(83290400002)(336012)(9686003)(26005)(53546011)(83380400001)(6506007)(19627405001);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 22 Apr 2023 05:03:47.9682 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 864ab091-c349-4269-7792-08db42eef4ea
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: DS1PEPF0000E643.namprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR01MB3815
X-OriginatorOrg: mitprod.onmicrosoft.com
X-Mailman-Approved-At: Sat, 22 Apr 2023 02:02:45 -0400
X-Content-Filtered-By: Mailman/MimeDel 2.1.34
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <BYAPR12MB288840FFCFB4B7EC125E8827BB619@BYAPR12MB2888.namprd12.prod.outlook.com>
X-Mailman-Original-References: <BYAPR12MB28886748C59BFA5E09088C89BB989@BYAPR12MB2888.namprd12.prod.outlook.com>
 by: Jonathan Calmels - Sat, 22 Apr 2023 05:03 UTC

I guess a better question would be:

Does MIT Kerberos support S4U2Self with an Active directory cross-realm 2-way trust as is, or does it require Samba with a cross-forest 2-way trust?

________________________________
From: Jonathan Calmels <jcalmels@nvidia.com>
Sent: Thursday, April 13, 2023 2:51 PM
To: kerberos@mit.edu <kerberos@mit.edu>
Subject: Cross-realm S4U2Self with AD trust

Hi,

We have a 2-way trust between a MIT KDC and MS AD.
In the MIT realm, we have a service than needs to perform protocol transition (S4U) on behalf of a user from the AD realm.
However, we're currently experiencing issues with S4U2Self whereby AD can't find said service in its database.

>From our limited understanding of cross-realm S4U, we expect AD to issue a TGT referral for the MIT service with the PAC of the user as described in
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/f35b6902-6f5e-4cd0-be64-c50bbaaf54a5
However it seems like the remote MIT service is being looked up in AD's DB (maybe to check for TrustedToAuthForDelegation).
We tried configuring an account in AD with same SPN as the one in the MIT realm, but it didn't change anything, requests always fails on step 3.

Looking at the request, libkrb5 seems to use a canonicalized enterprise principal name of the form "service/host.mit.realm\@MIT_REALM@AD_REALM for user@AD_REALM" to perform the request.
Is this accurate? (I couldn't find the reference in the S4U spec), and if so why does AD think this principal is part of its realm?
Are we missing anything configuration wise?

Logs and excerpt of the request:

$ kvno -I user@AD_REALM service/host.mit.realm

Getting initial credentials for service/host.mit.realm@MIT_REALM
Getting credentials user@AD_REALM -> service/host.mit.realm@MIT_REALM
Getting credentials service/host.mit.realm@MIT_REALM -> krbtgt/AD_REALM@MIT_REALM
Starting with TGT for client realm: service/host.mit.realm@MIT_REALM -> krbtgt/MIT_REALM@MIT_REALM
Requesting tickets for krbtgt/AD_REALM@MIT_REALM, referrals on
TGS reply is for service/host.mit.realm@MIT_REALM -> krbtgt/AD_REALM@MIT_REALM with session key aes256-sha2/E5C5
Received creds for desired service krbtgt/AD_REALM@MIT_REALM
Get cred via TGT krbtgt/AD_REALM@MIT_REALM after requesting service\/host.mit.realm\@MIT_REALM@AD_REALM (canonicalize on)
Got cred; -1765328377/Server not found in Kerberos database

kvno: Server not found in Kerberos database while getting credentials for service/host.mit.realm@MIT_REALM

$ klist

Default principal: service/host.mit.realm@MIT_REALM

Valid starting Expires Service principal
04/12/2023 14:32:02 04/13/2023 00:32:02 krbtgt/MIT_REALM@MIT_REALM
renew until 04/19/2023 14:32:02
04/12/2023 14:32:02 04/13/2023 00:32:02 krbtgt/AD_REALM@MIT_REALM
renew until 04/19/2023 14:32:02

==============
PA-DATA pA-FOR-USER
padata-type: pA-FOR-USER (129)
padata-value: 304fa0153013a003020101a10c300a1b086a63616c6d656c73a10c1b0a4e56494449412e…
name
name-type: kRB5-NT-PRINCIPAL (1)
name-string: 1 item
KerberosString: user
realm: AD_REALM
cksum
cksumtype: cKSUMTYPE-HMAC-MD5 (-138)
checksum: d7a3ce0060dc9de668771aa397593450
auth: Kerberos
req-body
Padding: 0
kdc-options: 40810000
0... .... = reserved: False
.1.. .... = forwardable: True
..0. .... = forwarded: False
...0 .... = proxiable: False
.... 0... = proxy: False
.... .0.. = allow-postdate: False
.... ..0. = postdated: False
.... ...0 = unused7: False
1... .... = renewable: True
.0.. .... = unused9: False
..0. .... = unused10: False
...0 .... = opt-hardware-auth: False
.... 0... = unused12: False
.... .0.. = unused13: False
.... ..0. = constrained-delegation: False
.... ...1 = canonicalize: True
0... .... = request-anonymous: False
.0.. .... = unused17: False
..0. .... = unused18: False
...0 .... = unused19: False
.... 0... = unused20: False
.... .0.. = unused21: False
.... ..0. = unused22: False
.... ...0 = unused23: False
0... .... = unused24: False
.0.. .... = unused25: False
..0. .... = disable-transited-check: False
...0 .... = renewable-ok: False
.... 0... = enc-tkt-in-skey: False
.... .0.. = unused29: False
.... ..0. = renew: False
.... ...0 = validate: False
realm: AD_REALM
sname
name-type: kRB5-NT-ENTERPRISE-PRINCIPAL (10)
sname-string: 1 item
SNameString: service/host.mit.realm@MIT_REALM
till: 2023-03-31 03:38:22 (UTC)
nonce: 29027264
etype: 2 items
ENCTYPE: eTYPE-AES256-CTS-HMAC-SHA384-192 (20)
ENCTYPE: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)

Thanks,

1
server_pubkey.txt

rocksolid light 0.9.8
clearnet tor