Can someone tell me if a TGT containing an authentication indicator will work over to a service principal in another realm which has a cross realm trust relationship?
Thanks,
Glenn
Can someone tell me if a TGT containing an authentication indicator will work over to a service principal in another realm which has a cross realm trust relationship?
On 9/30/22 16:06, Machin, Glenn Douglas via Kerberos wrote:
Can someone tell me if a TGT containing an authentication indicator will work over to a service principal in another realm which has a cross realm trust relationship?
Authentication indicators are currently only accepted within the same
realm; cross-realm service ticket requests do not preserve the
indicators from the cross-realm TGT.
On 9/30/22 16:06, Machin, Glenn Douglas via Kerberos wrote:
Can someone tell me if a TGT containing an authentication
indicator will work over to a service principal in another realm
which has a cross realm trust relationship?
Authentication indicators are currently only accepted within the
same
realm; cross-realm service ticket requests do not preserve the
indicators from the cross-realm TGT.
Hm, should they be preserved?
We are in the unusual situation of (a) relying on ticket flags to
indicate the use of hardware preauth and (b) we do a lot of cross-
realm. So we depend on the client realm asserting the hw-auth ticket
flag and make authorization decisions based on that (obviously, we
trust those realms to only assert hw-auth flag when appropriate).
AND my eventual plan was to transition to authentication indicators
instead of the hw-auth ticket flag.
RFC 8129 acknowledges the existence of cross-realm authentication and
vaguely implies they will be preserved, specifically here:
Application service evaluation of site-defined indicators MUST consider the realm of original authentication in order to avoid cross-realm indicator collisions. Failure to enforce this
property
can result in invalid authorization decisions.
So is this just an implementation detail? Is there something more
that I am missing? (Entirely possible!).
If it's just an implementation detail, what would the parameters of
an acceptable patch look like?
E.g., would the default be to not accept
any authentication indicators when doing cross realm, and you have to explicitly list realms you accept authentication indicators from?
Or something else?
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 300 |
Nodes: | 16 (2 / 14) |
Uptime: | 12:11:05 |
Calls: | 6,706 |
Files: | 12,236 |
Messages: | 5,350,983 |