[kitten] OT: MS Kerb constrained delegation, tickets with KRB_NT_ENTERPRISE
mrex@sap.com (Martin Rex) Wed, 27 November 2013 22:59 UTC
Return-Path: <mrex@sap.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 01ECA1ADFA4 for <kitten@ietfa.amsl.com>; Wed, 27 Nov 2013 14:59:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.552
X-Spam-Level:
X-Spam-Status: No, score=-6.552 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FW8TqZEfqC7p for <kitten@ietfa.amsl.com>; Wed, 27 Nov 2013 14:59:33 -0800 (PST)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.170]) by ietfa.amsl.com (Postfix) with ESMTP id C1A9D1ADF9A for <kitten@ietf.org>; Wed, 27 Nov 2013 14:59:32 -0800 (PST)
Received: from mail05.wdf.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id rARMxVEJ019076 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for <kitten@ietf.org>; Wed, 27 Nov 2013 23:59:31 +0100 (MET)
To: kitten@ietf.org
Date: Wed, 27 Nov 2013 23:59:31 +0100
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20131127225931.08F211AB0B@ld9781.wdf.sap.corp>
From: mrex@sap.com
X-SAP: out
Subject: [kitten] OT: MS Kerb constrained delegation, tickets with KRB_NT_ENTERPRISE
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: mrex@sap.com
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Nov 2013 22:59:35 -0000
Sorry for a slightly OT question about a Kerberos protocol/interop issue. What is the exact purpose and semantics of a Kerberos Ticket that contains a KRB_NT_ENTERPRISE cname for the receiver of the AP_REQ (the acceptor)? The usage scenario is Microsoft Kerberos using constrained delegation (a web server plugin in some Sharepoint environment). That web server plugin was written in .NET and passes the Client UPN it receives from Sharepoint "User@example.com" to "S4UClient.UpnLogon()", and according to the Wireshark trace, results in a KRB_TGS_REP with http://tools.ietf.org/html/rfc4120#section-5.4.2 crealm = "EXAMPLE.COM" cname = { KRB_NT_ENTERPRISE, "User@example.com" } When a Microsoft Kerberos Acceptor processes the resulting AP_REQ, it appears to return "User@EXAMPLE.COM@EXAMPLE.COM" from QueryContextAttributes(NATIVE_NAMES), which will be rejected by the application caller since it does not match the name as it appears on the ACL ("User@EXAMPLE.COM") When the Webserver plugin is modified to strip the domain/realm before passing it to S4UClient.UpnLogon(), then the resulting ticket seems to contain: crealm = "EXAMPLE.COM" cname = { KRB_NT_ENTERPRISE, "User" } and the Microsoft Kerberos Acceptor will return "User@EXAMPLE.COM" from QueryContextAttributes(NATIVE_NAMES), i.e. something that the server can match. I believe something is going wrong, but wondering where: - client/initiator in creating KRB_TGS_REQ ? - KDC in creating KRB_TGS_REP ? - server/acceptor in processing AS_REQ and creating (the equivalent of) src_name for gss_accept_sec_context ? My world is GSS-API and I'm no Kerberos protocol wrangler. This issue was reported to me by a customer, I have no personal experience with programming .NET, IIS-plugins and constrained delegation. But my "gsskrb5.dll" wrapper for the Microsoft Kerberos SSP was used during impersonation/delegation for authenticating to our backend application, and the wrong Username popped up at the backend. -Martin