[cifs-protocol] [EXTERNAL] [MS-SFU] Clarify the new NonForwardableDelegation flag - TrackingID#2107090040004014

Isaac Boukris iboukris at gmail.com
Tue Jul 27 12:43:20 UTC 2021

Hi again,

On Tue, Jul 27, 2021 at 11:22 AM Isaac Boukris <iboukris at gmail.com> wrote:
> > I have gotten some clarification on the comment "When this protection if enabled, it unifies the logic for Resource-Based Constrained Delegation (RBCD) with the original constrained delegation.".
> >
> > RBCD was recently updated to ensure that everyone honors the ticket issuer's request to not allow delegation. What the comment means is that the secure RBCD logic will stay in place, and that NonForwardableDelegation is being added to be able to turn off forwarding.
> Thanks for sharing that, so my vague understanding is that the current
> behavior doesn't change with the CVE-2020-16996 update, and that
> NonForwardableDelegation option was added which - I'm guessing - will
> require the forwardable flag to be set on an evidence ticket even for

I've run a couple of tests, it looks like the behavior did change
significantly, as now any service with an empty
msDS-AllowedToDelegateTo list is treated as TrustedToAuthForDelegation
and gets forwardable tickets with S4U2Self, on the other hand when the
new NonForwardableDelegation is enabled (set to 0..), then the
evidence ticket is required to be forwardable even in RBCD.

Please confirm and update the documentation accordingly, especially
for the cross-realm RBCD case which I suppose would also require
forwardable tickets and the other realm is trusted for that.


More information about the cifs-protocol mailing list