Skip Menu |
 

History Show all quoted textShow full headers
# Thu Aug 22 15:15:39 2024 Rajbir Chahal <rajbir.chahal@oracle.com> - Ticket created
To: "krb5-bugs@mit.edu" <krb5-bugs@mit.edu>
Date: Thu, 22 Aug 2024 18:16:33 +0000
From: "Rajbir Chahal" <rajbir.chahal@oracle.com>
Subject: S4U2Proxy API error
Download (untitled) / with headers
text/plain 594B
Download (untitled) / with headers
text/html 3.6KiB

Hello,

I am testing Kerberos S4U2Proxy API (krb5_get_credentials_for_proxy()).  
Client is MIT Kerberos (version 5-1.21.2) test program, krb5-1.21.2/src/tests/s4u2proxy.c. Kerberos KDC is Active Directory (on Windows Server 2016).

On making this API call, the client receives error "-1765328371, KDC can't fulfill requested option". 

Has this functionality been tested with Active Directory? Has it been tested with any other KDCs?

Please share guidance about resolving this issue.

I have reviewed the krb5-bugs archive and did not find a previous bug related to this issue.

thanks,
Rajbir
# Wed Aug 28 09:38:22 2024 Rajbir Chahal <rajbir.chahal@oracle.com> - Correspondence added
To: "rt@kerborg-prod-app-1.mit.edu" <rt@kerborg-prod-app-1.mit.edu>
Date: Wed, 28 Aug 2024 13:38:15 +0000
Subject: Re: [External] : [krbdev.mit.edu #9136] AutoReply: S4U2Proxy API error
From: "Rajbir Chahal" <rajbir.chahal@oracle.com>
Download (untitled) / with headers
text/plain 1.4KiB
Download (untitled) / with headers
text/html 3.7KiB

Hello,

Were you able to look into this? When can I expect a response?

thanks,
Rajbir
From: Kerberos Version 5 Issues via RT <rt@kerborg-prod-app-1.mit.edu>
Sent: Thursday, August 22, 2024 3:15 PM
To: Rajbir Chahal <rajbir.chahal@oracle.com>
Subject: [External] : [krbdev.mit.edu #9136] AutoReply: S4U2Proxy API error
 

Greetings,

This message has been automatically generated in response to the
creation of a trouble ticket regarding:
        "S4U2Proxy API error",
a summary of which appears below.

There is no need to reply to this message right now.  Your ticket has been
assigned an ID of [krbdev.mit.edu #9136].

Please include the string:

         [krbdev.mit.edu #9136]

in the subject line of all future correspondence about this issue. To do so,
you may reply to this message.

                        Thank you,
                       

-------------------------------------------------------------------------

Hello,

I am testing Kerberos S4U2Proxy API (krb5_get_credentials_for_proxy()).
Client is MIT Kerberos (version 5-1.21.2) test program, krb5-1.21.2/src/tests/s4u2proxy.c. Kerberos KDC is Active Directory (on Windows Server 2016).

On making this API call, the client receives error "-1765328371, KDC can't fulfill requested option".

Has this functionality been tested with Active Directory? Has it been tested with any other KDCs?

Please share guidance about resolving this issue.

I have reviewed the krb5-bugs archive and did not find a previous bug related to this issue.

thanks,
Rajbir

# Sun Sep 08 11:10:22 2024 ghudson@mit.edu (Greg Hudson) - Correspondence added
Download (untitled) / with headers
text/html 999B
The S4U2Proxy code has been tested against Active Directory and the MIT krb5 KDC.  Typically S4U2Proxy operations are initiated via the GSSAPI, however; see https://web.mit.edu/kerberos/krb5-latest/doc/appdev/gssapi.html#constrained-delegation-s4u and the test program t_s4u.c.

The protocol error code corresponding to "KDC can't fulfill requested option" can have a variety of causes.  One that immediately comes to mind is using a non-forwardable evidence ticket, but there are many others.  It's possible that KDC logs could provide more information, but I am not very familiar with Active Directory's logging.

As a note, MIT krb5 is an open source project and does not have an SLA with any other organization.  We cannot guarantee any specific response time for bug reports or promise that they will be resolved.