12

Kerberos constrained delegation to domain controllers

view full story
linux-howto

http://serverfault.com – Setup: Forest Functional Level: Windows 2003 All DCs - Windows 2003 64 bit SP2 Requirements: Citrix server wants to use Kerberos delegation for SSO purpose. They want to create Kerberos constrained delegation from Citrix presentation server to local DCs for CIFS and LDAP services. I fear that it would allow administrators on the presentation server to impersonate domain admins against LDAP service on the DCs and make unauthorized changes in AD. Questions: Is my assumption correct? If yes, how easy it would be to do that? What are the operational repercussion of allowing such delegation (HowTos)

taskli's picture
Submitted by taskli on 01/23/2012 – Made popular on 01/23/2012

Stories similar to Kerberos constrained delegation to domain controllers

Risks of Kerberos Delegation 27 weeks 5 days ago

I've been spending hours upon hours trying to learn and understand Windows Authentication, Kerberos, SPNs, and Constrained Delegation in IIS 7.5. One thing I just don't get is why it is "risky" to leave delegation enabled (i.e. not disable delegation for sensitive accounts) for Admins, CEOs, etc. Can someone please explain this to me in simple terms?

We have a domain "muzzard.com" which has nameservers ns0 and ns1

I'd like to add a delegation aws.muzzard.com and have the nameservers for that delegation in there e.g. ns0.aws.muzzard.com etc.

When I go through the new delegation wizard it asks for the FQDN's of the nameservers for the delegation.... which don't exist!

This must be possible.. What gives?

I have a web application (hostname: service.domain.com) and I wish to use Kerberos authentication to identify users that are logged into a Windows domain. Microsoft AD (Windows Server 2008 R2) is providing the Kerberos service.

The service is a Java web application using Spring Security Kerberos extension library to implement SPNEGO/Kerberos protocol.

I'm trying to test a Kerberos-based SSO solution for our Java app. Unfortunately, I don't have a Windows domain at my disposal to do so.

I followed this Kerberos-on-Firefox procedure but still Firefox does not connect via the company's Kerberos.

I am using Firefox 3.0.18 on RedHat EL Server 5.5

Here is what I did:

Run kinit on the command line to create a Kerberos ticket Check with klist: the ticket is valid until tomorrow, service principal is krbtgt/DC.THECOMPANY.COM@DC.THECOMPANY.COM. In Firefox, set network.negotiate-auth.t

continuing the last question about Windows AD + Linux BIND. I decided to create a subdamain for AD to run on.

It's ad.wxxx.xxxxx. My configuration is okay, but I don't think it does the delegation job right.

This Saturday evening we're going to be replacing our existing Windows Server 2003 domain controllers/dns servers with Windows Server 2008 R2 domain controllers/dns servers. The current forest and domain functional levels are Windows Server 2003 and I've already run adprep /forestprep and adprep /domainprep /gprep from the W2K8R2 media on the existing schema operations master.

I am using CORE to develop some network emulations to teach some network concepts.

Kerberos & localhost 51 weeks 1 day ago

I've got a Kerberos v5 server set up on a Linux machine, and it's working very well when connecting to other hosts (using samba, ldap or ssh), for which there are principals in my kerberos database.

Can I use kerberos to authenticate against localhost though? And if I can, are there reasons why I shouldn't? I haven't made a kerberos principal for localhost.