Skip Menu |

Subject: Resource Based Constrained Delegation client support
Windows Server 2012 added a feature called Resource Based Constrained
Delegation, which allows delegation policy to be configured on the
S4U2Proxy target's principal entry rather than the intermediate's, and
allows the intermediate and target to be in different realms.

Some client support is apparently necessary to make this work. We have
received at least one request to implement these client changes; I am
creating this ticket to track that request. I have not done the research
to understand the scope of the required client changes.
Subject: Resource Based Constrained Delegation support
Isaac Boukris has implemented client and KDC support, which is at or near completion.

The client must send a PA-PAC-OPTIONS pa-data item with the bit set for RBCD support.  If the KDC responds to an S4U2Proxy request with a referral, the client must follow the referral path to the destination realm twice, once to get a cross-TGT with its own authdata and once to get a cross-TGT with the impersonated client's authdata.  The client must then make an S4U2Proxy request to the destination realm with the second cross-TGT as the evidence ticket.  This is described in [MS-SFU]

The KDC needs a new DAL method to authorize S4U2Proxy requests at the target principal entry (with the intermediate service name as a parameter).  We will call this method allowed_to_delegate_from().  The KDC also needs a way to read the client name out of the PAC for the final S4U2Proxy request.  This will be implemented via a second new DAL method get_authdata_info(); this method can also return an opaque representation of the PAC (or other authorization data) for consumption by sign_authdata() and allowed_to_delegate_from(), to avoid repeat parsing.
Subject: git commit

Move S4U2Proxy client code to s4u_creds.c

Add an internal libkrb5 interface k5_get_proxy_cred_from_kdc(), which
implements S4U2Proxy requests synchronously. Call it from
krb5_get_credentials() if constrained delegation is requested.

[ rewrote commit message; made style changes]
Author: Isaac Boukris <>
Committer: Greg Hudson <>
Commit: 2b29619aa27c2e63fea80cac60b5607a3fce972f
Branch: master
src/lib/krb5/krb/get_creds.c | 28 +++-------
src/lib/krb5/krb/int-proto.h | 10 +++
src/lib/krb5/krb/s4u_creds.c | 130 ++++++++++++++++++++++++++++++++++++++++--
3 files changed, 143 insertions(+), 25 deletions(-)
Subject: git commit
Download (untitled) / with headers
text/plain 1.4KiB

Add RBCD client support

When making S4U2Proxy requests, include a PA-PAC-OPTIONS pa-data
element advertising resource-based constrained delegation support. If
the KDC returns a referral TGT for the initial request and advertises
RBCD support, chase referrals to the target realm with both a regular
and proxy TGT, and make an S4U2Proxy request to the target realm with
the proxy TGT as evidence ticket.

Because cross-realm S4U2Proxy requests must use referrals, an explicit
foreign realm in the server name cannot be honored. In the GSSAPI
krb5 mech, if a host-based server name is used, omit the realm (if one
was obtained from [domain_realm] or similar) when calling
krb5_get_credentials() for constrained delegation.

[ rewrote commit message; made style changes]
Author: Isaac Boukris <>
Committer: Greg Hudson <>
Commit: c426ef2ca2ba45dbf96f5380cf7d153ec0679424
Branch: master
src/include/k5-int.h | 13 ++
src/include/krb5/krb5.hin | 1 +
src/lib/gssapi/krb5/init_sec_context.c | 9 +-
src/lib/krb5/asn.1/asn1_k_encode.c | 22 +++
src/lib/krb5/krb/gc_via_tkt.c | 9 +-
src/lib/krb5/krb/s4u_creds.c | 306 ++++++++++++++++++++++++++++++--
src/lib/krb5/libkrb5.exports | 2 +
7 files changed, 345 insertions(+), 17 deletions(-)
Subject: git commit
Download (untitled) / with headers
text/plain 1.4KiB

S4U2Proxy evidence tickets needn't be forwardable

With the introduction of resource-based constrained delegation, the
absence of the forwardable flag no longer implies that a ticket cannot
be used for constrained delegation requests.

Instead, we should check in the PAC to see if the user is marked as
sensitive, and error out in that case rather than making a failed
request. But we don't always have access to the PAC and we currently
do not have the code to retrieve this attribute from the PAC.

Since krb5_get_credentials_for_proxy() no longer needs to look at the
decrypted ticket, change kvno to not require a keytab for constrained

[ made minor style changes and commit message edits;
updated documentation]
Author: Isaac Boukris <>
Committer: Greg Hudson <>
Commit: e131d339b81a22bfc91ab96990c3be9e7779200e
Branch: master
doc/appdev/gssapi.rst | 35 ++++++++++---------------
src/clients/kvno/kvno.c | 40 ++++++++++++++---------------
src/lib/gssapi/krb5/accept_sec_context.c | 3 +-
src/lib/gssapi/krb5/init_sec_context.c | 1 -
src/lib/gssapi/krb5/s4u_gss_glue.c | 14 ++--------
src/lib/krb5/krb/s4u_creds.c | 16 +++--------
src/tests/gssapi/ | 25 ++++++++----------
7 files changed, 53 insertions(+), 81 deletions(-)
Subject: git commit

Add KDC support functions for PA-PAC-OPTIONS

Add helper functions kdc_get_pa_pac_options() and
kdc_add_pa_pac_options(), to retrieve PA-PAC-OPTIONS values from
request padata and to set a PA-PAC-OPTIONS value in encrypted padata.
Don't actually call kdc_add_pa_pac_options() yet.

[ rewrote commit message; minor style edits]
Author: Isaac Boukris <>
Committer: Greg Hudson <>
Commit: 86ba26248dfbbed13cd753dd79e5f45a9a01defc
Branch: master
src/kdc/kdc_util.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
src/kdc/kdc_util.h | 8 ++++++++
2 files changed, 56 insertions(+), 0 deletions(-)
Subject: git commit
Download (untitled) / with headers
text/plain 2.3KiB

Add KDC support for RBCD requests

Add two new KDB methods to support resource-based constrained
delegation. The get_authdata_info method extracts the client
principal for the authdata (necessary for cross-realm RBCD requests as
the evidence ticket is a cross-realm TGT with the requested client's
authdata), and also returns an opaque pointer for consumption by other
KDB methods. The allowed_to_delegate_from method performs a
constrained delegation policy check on the principal entry of the
target principal.

Add the server principal and abstract authdata representation to the
sign_authdata method. Also pass the second ticket server as
header_server since we pass the authorization data from the second
ticket, and pass the impersonated client (if it is in the local realm)
as client instead of the impersonator.

Add core KDC code for RBCD requests. For local RBCD requests
(impersonator and target in the same realm), KDC handling is similar
to existing constrained delegation support. The evidence ticket is
not required to be forwardable, and allowed_to_delegate_from is used
in preference to check_allowed_to_delegate.

For cross-realm RBCD requests, the KDC could be in the impersonator
realm, the target realm, or in a transit realm between the two. In
the transit realm case, the request looks like a regular cross-realm
request for a krbtgt service except for the information in the PAC, so
this case is handled by the KDB module sign_authdata() method.

[ made style and documentation edits; edited commit
Author: Isaac Boukris <>
Committer: Greg Hudson <>
Commit: d47f7dba3779c9e36e1dedaac830dac1dd248fb3
Branch: master
src/include/kdb.h | 106 +++++++++++++++++++++++++++++++---
src/kdc/do_as_req.c | 2 +-
src/kdc/do_tgs_req.c | 118 +++++++++++++++++++++++---------------
src/kdc/kdc_authdata.c | 33 +++++------
src/kdc/kdc_preauth.c | 6 ++
src/kdc/kdc_util.c | 112 +++++++++++++++++++++++++++++++++++--
src/kdc/kdc_util.h | 15 +++++-
src/lib/kdb/kdb5.c | 77 +++++++++++++++++++++++--
src/lib/kdb/libkdb5.exports | 3 +
src/plugins/kdb/test/kdb_test.c | 5 +-
10 files changed, 387 insertions(+), 90 deletions(-)
Subject: git commit

Add tests for local and cross-realm RBCD requests

Add fake PAC generation and verification facilities to the test KDB
module, and implement the get_authdata_info() and
allowed_to_delegate_from() methods. In, construct realms
using the test KDB module and test a variety of RBCD scenarios.
Author: Isaac Boukris <>
Committer: Greg Hudson <>
Commit: 2b1acc07a267782a7f4c9644da78587cc29b6f56
Branch: master
src/plugins/kdb/test/kdb_test.c | 508 +++++++++++++++++++++++++++++++++++++--
src/tests/gssapi/ | 99 ++++++++
2 files changed, 583 insertions(+), 24 deletions(-)
Subject: git commit

Fix doc build

Commit c426ef2ca2ba45dbf96f5380cf7d153ec0679424 added
KRB5_PADATA_PAC_OPTIONS to krb5.hin, but did not put it in an API
index, causing a documentation build failure. Add it now.
Author: Greg Hudson <>
Commit: 7ae4e8882458336fbe50d0e722ec9d5e3e338c63
Branch: master
doc/appdev/refs/macros/index.rst | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)