tags:

views:

122

answers:

1
+1  Q: 

Confusion about Kerberos, delegation and SPNs.

I'm trying to write a proof-of-concept application that performs Kerberos delegation. I've written all the code, and it seems to working (I'm authenticating fine), but the resulting security context doesn't have the ISC_REQ_DELEGATE flag set.

So I'm thinking that maybe one of the endpoints (client or server) is forbidden to delegate. However I'm not authenticating against an SPN. Just one domain user against another domain user. As the SPN for InitializeSecurityContext() I'm passing "[email protected]" (which is the user account under which the server application is running). As I understand, domain users have delegation enabled by default. Anyway, I asked the admin to check, and the "account is sensitive and cannot be delegated" checkbox is off.

I know that if my server was running as a NETWORK SERVICE and I used an SPN to connect to it, then I'd need the computer account in AD to have the "Trust computer for delegation" checkbox checked (off by default), but... this is not the case, right? Or is it?

Also - when the checkbox in the computer account is set, do the changes take place immediately, or must I reboot the server PC or wait for a while?

+1  A: 

According to this ISC_REQ_DELEGATE is only ignored if you use constrained delegation. I'm pretty sure for constrained delegation to happen, you have to explicitly state which services the account is allowed to delegate to in Active Directory (delegation tab for a user or computer in the AD snap in).

I'm not sure of the rules using UPNs vs SPNs. Have you tried turning on Kerberos event logging and looking in the event log? The messages are often cryptic but usually possible to decipher.

Your description of the NETWORK SERVICE scenario is accurate. Trust for delegation is off by default, but NETWORK SERVICE might have permission to self register an SPN (I think this can be determined by group policy).

When you tick the box the change takes place immediately, but may have to propogate throughout all the domain controllers in the domain (I typically test in a test domain with a single DC). So, restarting your service app is enough, you don't need to reboot.

The Kerb tickets reside on the client machine. These have an expiry time, and can be flushed manually using klist or kerbtray.

Alex Peck  2010-03-18 19:11:46

related questions

Setting SPN on endpointaddress for NetNamedPipe service endpoint
Do I need to configure SPNs for all services running on the same test SharePoint server?
expected identity upn connecting to service as network service,
Client unable to authenticate when connecting to WCF service
WCF - Why netTCPBinding works fine with Kerberos authentication without any SPN setting?
IIS running as service Account with AzMan
How can i start a console application using the 'network service' account
Tomcat authentication using SPNEGO/Kerberos and delegation
Testing that a website is using Kerberos authentication
SSH hangs on Mac Book Pro; AFS and Network Preferences?
Why does my web part throw an error about "NT Authority/Anonymous User"?
Generate kerberos ticket using .NET
How do I call a Sharepoint Webservice from a c# client using Kerberos authentication ?
Can I use two Kerberos Keytabs from a single host?
How do I reload kerberos configuration under tomcat ?
Do I need to set up Kerberos to use Replication in SQL Server 2005?
bind Linux to Active Directory using kerberos
IIS Returning Old User Names to my application
gss_acquire_cred returning Key table entry not found error
Kerberos and T125 protocol
Difference between SSL and Kerberos authentication?
Kerberos Delegation for Clients Ouside the Firewall
Kerberos user authentication in Apache
What SPN do I need to set for a net.tcp service?