[cifs-protocol] 120012721001773 Clarify in MS-KILE 188.8.131.52.5 how the KDC makes the decision
srenaden at microsoft.com
Tue Jan 28 19:48:26 UTC 2020
Hello Isaac, my review shows that NO_TGT attribute effectively clears ok-as-delegate flag even in the same forest. Also ENABLE_TGT trust attribute is not required to be set within the forest. I will be assisting you with getting these details documented in MS-KILE spec.
Microsoft Windows Open Specifications
From: Isaac Boukris <iboukris at gmail.com>
Sent: Monday, January 27, 2020 10:34 AM
To: Interoperability Documentation Help <dochelp at microsoft.com>; Stefan Metzmacher <metze at samba.org>; cifs-protocol at lists.samba.org
Subject: [EXTERNAL] Clarification request about TGT forwarding within forest MS-KILE 184.108.40.206.5
This is a followup question to:
Per my testing using updated Windows 2019, the TRUST_ATTRIBUTE_CROSS_ORGANIZATION_ENABLE_TGT_DELEGATION trust attribute is not required when both domains are in the same forest, and even if not set Windows KDC still set ok-as-delegate flag.
Could you please clarify in MS-KILE 220.127.116.11.5 how the KDC makes the decision not to require ENABLE_TGT attribute when in the same forest, and whether the NO_TGT attribute applies in that case or not.
More information about the cifs-protocol