[cifs-protocol] 114120912145254 What is UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION / TrustedToAuthenticationForDelegation used for?

Sreekanth Nadendla srenaden at microsoft.com
Fri Dec 19 09:45:31 MST 2014

Hello Andrew, below is the answer for your question " What is UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION / TrustedToAuthenticationForDelegation used for?" 

Services for User to Self (S4U2S) help provide for Protocol Transition i.e. the ability to perform Kerberos Authentication even though the end user can only authenticate using some other non-Kerberos protocol. Fields UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION and USER_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION are used to enable protocol transition.

As per MS-ADTS section 2.2.16 userAccountControl Bits
UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION indicates that the account (when running as a service) obtains an S4U2self service ticket (as specified in [MS-SFU]) with the forwardable flag set. If this bit is cleared, the forwardable flag is not set in the S4U2self service ticket.

The one difference between them is that the actual value of these flags is not the same and obtaining values for these is achieved differently i.e. depends on whether we query using LDAP or make SamIGetUserLogonInformation* API calls etc.. 

Also TrustedToAuthenticateForDelegation is just a boolean abstract representation of the above flags which makes it convenient to answer the question of is it OK to forward the ticket during **protocol transition**.

Sreekanth Nadendla
Microsoft Windows Open Specifications

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org] 
Sent: Tuesday, December 9, 2014 5:30 PM
To: Interoperability Documentation Help
Cc: cifs-protocol at samba.org
Subject: What is UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION / TrustedToAuthenticationForDelegation used for?

MS-SAMR states:

USER_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION This bit is used by the Kerberos protocol, as specified in [MS-KILE] section

However, MS-KILE is no more illuminating, doesn't use the flag full name (please, please remove all references to two-letter codes) and uses another name not specified anywhere else (TrustedToAuthenticationForDelegation).

Please improve the inter-doc references and let me know what is this flag is used for.  (We understand from elsewhere it is related to the S4U2Proxy functionality).


Andrew Bartlett
Andrew Bartlett
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the cifs-protocol mailing list