kerberos constrained delegation RRS feed

  • Question

  • Hello,

    I do have one protocol level thing to request you to clarify.  Appreciate your help.

    A user’s machine/client  can send the service either   “forwarded TGT along with the service-ticket”  OR   “forwardable service-ticket”

    I am trying to understand what is the practical difference.

    Per my understanding,  when service S1  receives  “forwarded TGT”, it can use it to impersonate the client and get the service-ticket of any service that client is entitled to.

    And same way

    When service S1 receives the “forwardable service-ticket”,  it can exchange it to get the service-ticket of any downstream service.

    A forwardable service-ticket is nothing but a  proxy service-ticket where the service that’s allowed to use the proxy is given complete freedom to use the identity with any remote service the identity would otherwise be able to access.

    Hence I am not sure,  which one should be preferable.


    Monday, August 10, 2020 7:19 PM