Kerberos, unable to use S4U2Self and S4U2Proxy extensions with MIT KDC Server

Question

Below is my scenario:

Client is connecting to intermediate service and intermediate service is connecting to the target service. I want to use the client credentials from the intermediate service to connect to the target service.

I used the below code in the intermediate service to acquire the credentials of the client.

GSSCredential clientCredential =((ExtendedGSSCredential)intermediateServiceCreds).impersonate(clientGSSName);

Establishing the context is failing with

NOT_ALLOWED_TO_DELEGATE

Do I need to set any flags while creating the principle of the client, intermediate service and target service? I don't want to make code changes in the client to set the credential delegation to true.

Are we using Active Directory here? – T-Heron Jan 05 '18 at 22:16 — T-Heron, Jan 05 '18 at 22:16

score 1 · Answer 1 · answered Jan 10 '18 at 01:18

1

Looks like your intermediate service principal is missing "ok_to_auth_as_delegate" attribute. https://web.mit.edu/kerberos/krb5-devel/doc/admin/admin_commands/kadmin_local.html#add-principal

answered Jan 10 '18 at 01:18

viktor

11
1

Kerberos, unable to use S4U2Self and S4U2Proxy extensions with MIT KDC Server

1 Answers1