Hi,
To perform constrained delegation from Service A to Service B,
forwardable flag must be set in the S4U2Self service ticket returned by KDC to Service A.
I did some testing with Windows KDC and it will set forwardable flag in S4U2Self service ticket in either of the following cases:
1) TrustedToAuthForDelegation is set to true in Service A account.
2) Service A TGT used in S4U2Self has forwardable flag set and msDS-AllowedToDelegateTo list is empty on Service A account.
I am not able to understand why msDS-AllowedToDelegateTo needs to be empty
in the 2nd case.
Is the behavior of MIT KDC the same as Windows KDC ?
In my test, I have configured resource based constrained delegation in Service B (principalsAllowedToDelegateTo).
--
Regards,
Vipul
I did some testing with Windows KDC and it will set forwardable flag in S4U2Self service ticket in either of the following cases:
1) TrustedToAuthForDelegation is set to true in Service A account.
2) Service A TGT used in S4U2Self has forwardable flag set and msDS-AllowedToDelegateTo list is empty on Service A account.
I am not able to understand why msDS-AllowedToDelegateTo needs to be empty
in the 2nd case.
Is the behavior of MIT KDC the same as Windows KDC ?
Service ticket used in S4U2Proxy need not be forwardable if resource
based constrained delegation is used i.e.
principalsAllowedToDelegateTo option is
configured on Service B.
On 7/23/21 4:38 PM, Vipul Mehta wrote:...
I did some testing with Windows KDC and it will set forwardable flag in S4U2Self service ticket in either of the following cases:
1) TrustedToAuthForDelegation is set to true in Service A account.
2) Service A TGT used in S4U2Self has forwardable flag set and msDS-AllowedToDelegateTo list is empty on Service A account.
I am not able to understand why msDS-AllowedToDelegateTo needs to be empty in the 2nd case.
Is the behavior of MIT KDC the same as Windows KDC ?
We have an analog of the TrustedToAuthForDelegation flag, called ok_to_auth_as_delegate. We don't check for an empty
allowed-to-delegate-to list.
https://support.microsoft.com/en-us/topic/managing-deployment-of-rbcd-protected-user-changes-for-cve-2020-16996-9a59a49f-20b9-a292-f205-da9da0ff24d3
On Mon, Jul 26, 2021 at 10:17 PM Greg Hudson <ghudson@mit.edu> wrote:
On 7/23/21 4:38 PM, Vipul Mehta wrote:
I did some testing with Windows KDC and it will set forwardable flag in S4U2Self service ticket in either of the following cases:
1) TrustedToAuthForDelegation is set to true in Service A account.
2) Service A TGT used in S4U2Self has forwardable flag set and msDS-AllowedToDelegateTo list is empty on Service A account.
I am not able to understand why msDS-AllowedToDelegateTo needs to be empty
in the 2nd case.
Is the behavior of MIT KDC the same as Windows KDC ?
We have an analog of the TrustedToAuthForDelegation flag, called ok_to_auth_as_delegate. We don't check for an empty...
allowed-to-delegate-to list.
https://support.microsoft.com/en-us/topic/managing-deployment-of-rbcd-protected-user-changes-for-cve-2020-16996-9a59a49f-20b9-a292-f205-da9da0ff24d3
Now that I read this again, and read again the "Additional
considerations" section in that link, I think what might happened with
this change is that now RBCD requires the forwardable flag but any
service with an empty msDS-AllowedToDelegateTo to list, as Vipul
remarked, gets treated as TrustedToAuthForDelegation and gets the flag (presumably, unless the client is in the protected-users group or has
the not-delegated flag).
I'll run some tests and check it with dochelp.
On 7/23/21 4:38 PM, Vipul Mehta wrote:
I did some testing with Windows KDC and it will set forwardable flag in S4U2Self service ticket in either of the following cases:
1) TrustedToAuthForDelegation is set to true in Service A account.
2) Service A TGT used in S4U2Self has forwardable flag set and msDS-AllowedToDelegateTo list is empty on Service A account.empty
I am not able to understand why msDS-AllowedToDelegateTo needs to be
in the 2nd case.
Is the behavior of MIT KDC the same as Windows KDC ?
We have an analog of the TrustedToAuthForDelegation flag, called ok_to_auth_as_delegate. We don't check for an empty
allowed-to-delegate-to list.
Service ticket used in S4U2Proxy need not be forwardable if resource
based constrained delegation is used i.e.
principalsAllowedToDelegateTo option is
configured on Service B.
Note that, as of 2019, the forwardable flag must be set on the evidence ticket if the delegation is authorized in both directions (on the intermediate service and the target service). We implemented this counterintuitive behavior in the MIT KDC for consistency.
There is some reason to think this might be changing. This article
(noted by Isaac):
https://support.microsoft.com/en-us/topic/managing-deployment-of-rbcd-protected-user-changes-for-cve-2020-16996-9a59a49f-20b9-a292-f205-da9da0ff24d3
talks about a protection measure that "unifies the logic for
Resource-Based Constrained Delegation (RBCD) with the original
constrained delegation." We have asked Microsoft for clarification.
Need a clarification:
MIT KDC will set the forwardable flag in S4U2Self ticket in following cases (provided account is not sensitive and not part of secure group):
1) ok_to_auth_as_delegate is true
or
2) ok_to_auth_as_delegate is false and Service TGT has forwardable flag set
I have windows server 2012 R2 with all the security updates installed and did some tests:
Resource Based Constrained Delegation configured for Service A in Service B account.
Case 1) Service A : trustedToAuthForDelegation = false and non-empty msds-AllowedToDelegateTo -> S42U2Self ticket didn't have a forwardable flag and subsequent S4U2Proxy failed.
Now we know that behavior is unified and S4U2Self ticket should be forwardable to avoid vulnerability, i think we can add a check in MIT Kerberos API itself such that before sending S4U2Proxy TGS-REQ to KDC, if ticket is not forwardable it will fail inclient itself.
I can see that JDK has this check: https://github.com/openjdk/jdk/blob/739769c8fc4b496f08a92225a12d07414537b6c0/src/java.security.jgss/share/classes/sun/security/krb5/internal/CredentialsUtil.java -> line 105
line 105
On Wed, Jul 28, 2021 at 11:10 AM Vipul Mehta <vipulmehta.1989@gmail.com> wrote:
I have windows server 2012 R2 with all the security updates installedand did some tests:
Resource Based Constrained Delegation configured for Service A inService B account.
Case 1) Service A : trustedToAuthForDelegation = false and non-emptymsds-AllowedToDelegateTo -> S42U2Self ticket didn't have a forwardable flag and subsequent S4U2Proxy failed.
That's expected because the default of 'NonForwardableDelegation' is
enabled I think, so RBCD requires forwardable flag now, if you set NonForwardableDelegation to disabled (that is to 1 ..), then RBCD
S4U2Proxy will continue to work as before the update.
On Tue, Jul 27, 2021 at 6:54 PM Vipul Mehta <vipulmehta.1989@gmail.com> wrote:
Need a clarification:cases
MIT KDC will set the forwardable flag in S4U2Self ticket in following
(provided account is not sensitive and not part of secure group):set
1) ok_to_auth_as_delegate is true
or
2) ok_to_auth_as_delegate is false and Service TGT has forwardable flag
In case of 2) we'll also check that
'ServicesAllowedToSendForwardedTicketsTo' is empty like in the doc, I
was just suggesting implementation wise that we do it in the plugin
instead of the kdc itself, that is when the principal is retrieved the
plugin will add 'ok_to_auth_as_delegate' if the 'ServicesAllowedToSendForwardedTicketsTo' is empty.
On Wed, Jul 28, 2021 at 1:46 PM Vipul Mehta <vipulmehta.1989@gmail.com> wrote:
Now we know that behavior is unified and S4U2Self ticket should beforwardable to avoid vulnerability, i think we can add a check in MIT Kerberos API itself such that before sending S4U2Proxy TGS-REQ to KDC, if ticket is not forwardable it will fail in client itself.
I can see that JDK has this check:
https://github.com/openjdk/jdk/blob/739769c8fc4b496f08a92225a12d07414537b6c0/src/java.security.jgss/share/classes/sun/security/krb5/internal/CredentialsUtil.java
line 105
MIT used to have that as well before RBCD was added, although I don't
think this was ever necessary, as that check should be done in the
KDC. Also disabling NonForwardableDelegation can be a valid usage when relying on SIDs and not using protected-group, as in the original RBCD design:
https://github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/security/kerberos/kerberos-constrained-delegation-overview.md
Thank you.
This was a useful discussion for me.
On Wed, Jul 28, 2021 at 4:36 PM Isaac Boukris <iboukris@gmail.com> wrote:
On Wed, Jul 28, 2021 at 1:46 PM Vipul Mehta <vipulmehta.1989@gmail.com>
wrote:
forwardable to avoid vulnerability, i think we can add a check in MIT
Now we know that behavior is unified and S4U2Self ticket should be
Kerberos API itself such that before sending S4U2Proxy TGS-REQ to KDC, if
ticket is not forwardable it will fail in client itself.
https://github.com/openjdk/jdk/blob/739769c8fc4b496f08a92225a12d07414537b6c0/src/java.security.jgss/share/classes/sun/security/krb5/internal/CredentialsUtil.java
I can see that JDK has this check:
line 105
MIT used to have that as well before RBCD was added, although I don't
think this was ever necessary, as that check should be done in the
KDC. Also disabling NonForwardableDelegation can be a valid usage when
relying on SIDs and not using protected-group, as in the original RBCD
design:
https://github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/security/kerberos/kerberos-constrained-delegation-overview.md
--
Regards,
Vipul
I have one more query on this based on following statement in microsoft document:
"If a non forwardable S4U2self-generated user's service ticket for a nonsensitive user is used, then the SFU client SHOULD<11> locate a DS_BEHAVIOR_WIN2012 DC ([MS-KILE] section 3.2.5.3) to send the request."
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/ddb2cafd-1f01-4834-b52a-d4a5b34cd960
Is this implemented in the MIT Kerberos client ?
Hi Vipul,
On Wed, Aug 25, 2021 at 6:12 AM Vipul Mehta <vipulmehta.1989@gmail.com> wrote:
I have one more query on this based on following statement in microsoftdocument:
"If a non forwardable S4U2self-generated user's service ticket for anonsensitive user is used, then the SFU client SHOULD<11> locate a DS_BEHAVIOR_WIN2012 DC ([MS-KILE] section 3.2.5.3) to send the request."
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/ddb2cafd-1f01-4834-b52a-d4a5b34cd960
Is this implemented in the MIT Kerberos client ?
No it isn't, we just assume all the KDCs support RBCD.
I think this has become less relevant now that RBCD requires the
forwardable flag as well [1]. I guess this doc should be updated too.
[1] https://lists.samba.org/archive/cifs-protocol/2021-July/003608.html
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 296 |
Nodes: | 16 (3 / 13) |
Uptime: | 51:27:55 |
Calls: | 6,650 |
Calls today: | 2 |
Files: | 12,200 |
Messages: | 5,330,304 |