Kerberos Ticket Forwarding patch/update

Michael B Allen ioplex at
Fri Jul 25 16:11:06 GMT 2008

On Thu, Jul 24, 2008 at 7:03 PM, Love Hörnquist Åstrand <lha at> wrote:
> Hello Derrick,
> Maybe the client don't want to authenticate to that service, you are forcing
> it upon them to always delegate, even for services which they don't need to
> delegate too.
> To test the behaivor you need to use SSPI directly and test the behavior of
> the windows SSPI Kerberos interface.

Doing delegation is decided entirely by the client using not only the
OK_AS_DELEGATE flag but in many cases other information as well.

For example, with HTTP Negotiate authentication, the client (Internet
Explorer) will only send the delegated credential of OK_AS_DELEGATE is
set in AND the user's NOT_DELEGATED UserAccountControl flag is not set
AND the target server in determined to be in the "Local intranet zone"
according to browser security settings. At least these are the things
that can stop delegation that I know of.

For CIFS, I would be a little surprised if the service ticket being
flagged OK_AS_DELEGATE (and NOT_DELEGATED flag) was all that was
considered. Someone could try turning the TRUSTED_FOR_DELEGATION
UserAccountControl flag on and off and seeing if a client will send
the delegated credential in reaction to that. Does the client send it
if the server is in another domain trusted or otherwise?


> 24 jul 2008 kl. 23.55 skrev Derrick Schommer:
>> I'm not sure how Microsoft handles it internally, what I do know is if the
>> client doesn't 'want' to delegate, than they're going to be declined the
>> ability to authenticate because the server is virtualizing the back-end
>> storage. You cannot authenticate directly with the virtualized system
>> without using a management address. The client wouldn't gain any advantage
>> from not allowing the delegated trust.

Michael B Allen
PHP Active Directory SPNEGO SSO

More information about the samba-technical mailing list