Re: Cannot delegate credentials to a ktpass-created account?
- From: Speedo <speedogoo@xxxxxxxxx>
- Date: Mon, 8 Dec 2008 00:20:14 -0800 (PST)
I just find out that the service ticket for myserv/h.l.d has no OK-AS-
DELEGATE flag on, while the one for host/h.l.d has it. In the AD
setting of the computer, I've already checked trusted for delegation.
Do I have to add the newly created SPN manually?
Goo
On Dec 8, 12:29 pm, Speedo <speedo...@xxxxxxxxx> wrote:
Hi.
I'm writing a Windows client program to communicate with a GSS-API
server. The client program uses the current login user's credentials
(by calling AcquireCredentialsHandle(0,"Kerberos",OUTBOUND,
0,0,0,0...)), and tries to call InitializeSecurityContext
(...,target,ISC_REQ_DELEGATE|...,). The problem is, although I specify
ISC_REQ_DELEGATE in the request, the established security context does
not have the DELEGATE flag turned on.
I further find out that when I'm calling the ISC function upon the SPN
I created with ktpass, the token generated is 0x455 bytes long. On the
other hand, if I target an existing SPN, say host/host.local.domain,
the size of 0x937 bytes. After reading RFC 4120, I guess the client's
forwarded TGT is not sent with the token for the ktpass-generated SPN
case.
How can I fix this problem? The SPN is generated with
ktpass -print myserv/host.local.dom...@xxxxxxxxxxxx -mapuser
au...@xxxxxxxxxxxx -out myserv.ktab +rndPass
Thanks
Goo
- Follow-Ups:
- References:
- Prev by Date: Cannot delegate credentials to a ktpass-created account?
- Next by Date: Re: Cannot delegate credentials to a ktpass-created account?
- Previous by thread: Cannot delegate credentials to a ktpass-created account?
- Next by thread: Re: Cannot delegate credentials to a ktpass-created account?
- Index(es):
Relevant Pages
|
