- Kerberos authentication to a WinRM endpoint
- 2 Windows endpoints, 1 is trusted for unconstrained delegation (
Y
), the other is not trusted for any delegation (N
) - Trying to reconcile the behaviour of
GSS_C_DELEG_POLICY_FLAG
for both MIT and Heimdal - This does not take consider any
krb5.conf
values that could affect this behaviour - The docs behaviour is based on what is in this blog post
- Tested on Centos 8 against a Microsoft KDC
- MIT krb5 version
1.17
- Heimdal krb5 version
7.7.0
req_flags | ok-as-delegate | provider | delegated | ret_flags |
---|---|---|---|---|
None | Y | MIT | N | None |
None | Y | Heimdal | N | None |
None | Y | Doc | N | None |
None | N | MIT | N | None |
None | N | Heimdal | N | None |
None | N | Doc | N | None |
DELEG | Y | MIT | Y | DELEG |
DELEG | Y | Heimdal | Y | DELEG |
DELEG | Y | Doc | Y | DELEG |
DELEG | N | MIT | Y | DELEG |
DELEG | N | Heimdal | Y | DELEG |
DELEG | N | Doc | Y | DELEG |
DELEG_POLICY | Y | MIT | Y | DELEG | DELEG_POLICY |
DELEG_POLICY | Y | Heimdal | Y | DELEG | DELEG_POLICY |
DELEG_POLICY | Y | Doc | Y | DELEG | DELEG_POLICY |
DELEG_POLICY | N | MIT | N | None |
DELEG_POLICY | N | Heimdal | N | None |
DELEG_POLICY | N | Doc | N | None |
DELEG | DELEG_POLICY | Y | MIT | Y | DELEG | DELEG_POLICY |
DELEG | DELEG_POLICY | Y | Heimdal | Y | DELEG | DELEG_POLICY |
DELEG | DELEG_POLICY | Y | Doc | Y | DELEGE | DELEG_POLICY |
DELEG | DELEG_POLICY | N | MIT | Y | DELEG |
DELEG | DELEG_POLICY | N | Heimdal | Y | DELEG |
DELEG | DELEG_POLICY | N | Doc | Y | DELEG |
Most scenarios are the same except for using MIT with just GSS_C_DELEG_POLICY_FLAG
set on an ok-as-delegate SPN
This was incorrect, after testing again I saw the same behaviour between MIT and Heimdal so this was a false positive.