Re: Expired Tickets - Delegation vs S4U

The S4U ticket for the user is generated "fresh" on the server, so you
shouldn't have any issues with the user's ticket having expired. The only
possible issue I could see here is if the server itself actually caches the
user's ticket in the LSA and that expired, but that seems farfetched to me.
I've never heard of that happening, so I think it is unlikely. It should
circumvent the issue.

I wouldn't worry about the legitimacy of the approach. If it works for you,
then use it. The API is there for a reason. :)

The security issues are dictated by the AD admin giving the service the
rights to do protocol transition logon for delegation and by the local admin
on the server giving the account "act as part of the operating system
privilege" (if needed). You generally wouldn't have either of these by
default.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Nicholas Hadlee" <NicholasHadlee@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:BDFFBE1A-9492-4458-B4EF-4E3C82324669@xxxxxxxxxxxxxxxx
I haven't as yet tried this method of mixing the two delegation models
together, I was interested if anyone had actually tried this. the real
question is will it get round the ticket lifetime of ten hours - do S4U
tickets have the same lifetime restriction? From a security perspective I
suppose there may be an issue that you are almost circumventing the
purpose
of kerberos having the short lifetime if you find a way to keep the
tickets
alive through multiple S4U requests.

Also, it doesnt really seem like a legitimate use of protocol transition
to
go from integrated authentication (with impersonation disabled at the
application level in the web.config) to integrated authentication (with
impersonation through code). However if it works I will certainly use this
method.





.

Relevant Pages

  • Re: Kerberos error event ID:4
    ... This event will occur if you present a service ticket to a principal ... which cannot be decrypted by the target. ... password as a seed for the resulting encryption used on the service ... If the server can decrypt the ticket, ...
    (microsoft.public.windows.server.general)
  • Rant: Customers who know best then decide you were right
    ... web-hosting/email/whatever the customer wants a server for. ... brute force attacks coming from one of our IPs. ... traffic did indeed exist and opened an abuse ticket with a customer. ... for the spam and update the existing ticket. ...
    (alt.sysadmin.recovery)
  • RE: Kerberos error event ID:4
    ... This event will occur if you present a service ticket to a principal ... which cannot be decrypted by the target. ... password as a seed for the resulting encryption used on the service ticket. ... If the server can decrypt the ticket, ...
    (microsoft.public.windows.server.general)
  • Re: Kerberos not working across domains
    ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... BDA domain (the one without the SharePoint and Cube servers) and still ... "The security database on the server does not have a computer account ... So I would appear to be getting a ticket from the e4se domain and it ...
    (microsoft.public.windows.server.active_directory)
  • Re: Raise your hand if you have ever wanted to disable the browsers BACK button
    ... return to your computer to find that the server has forgotten what you ... and are writing up the details on one trouble ticket. ... each window has its own state. ... session data per-window state is much harder to do. ...
    (comp.lang.php)