Putty and Kerberos constrained delegation

Copper Contributor
Hi all,
 
I already posted this on 'Windows Server for IT Pro', but that might have been the wrong forum..
Therefore I'll try again here. Apologies in advance..
Original post was :


I'm struggling with Kerberos credential delegation...
My environment is :
 - Windows Server 2012

 - a Win10 workstation that is joined to the configured AD domain

 - a Fedora37 Linux server that is joined to the configured AD domain using SSSD

 - 'putty' version 0.78 64bit as a SSH client/terminal emulator running on Win10


I configured :
- in 'putty' , I enabled 'Connection > SSH > Auth > GSSAPI > Allow GSSAPI credential delegation
- in 'putty', I specified an AD accountname to login with in 'Connection > Data > Auto-login username'

- SSO to the Fedora37 server : opening a connection using 'putty'  logs me in without a password

What I want :
 - logging on to Win10 with my AD useraccount gives me a kerberos ticket

 - after login to the Fedora37 server I want 'klist' show those credentials

I got this to work using 'Unconstrained Delegation'..  Configuring SSSD for Windows SSO created an
AD machine account for the linux server. Using the Active Directory tooling on the Windows Server,
I can click the machine account's  'Delegation' tab and click 'Trust this computer for delegation to any
server (Kerberos only)'. This effectively sets the 'TRUSTED_FOR_DELEGATION' flag in the UserAccountControl attribute for the Linux machine account.
With this setting, I can use Putty to SSO into the Linux server using my AD useraccount, and 'klist'
shows a forwardable ticket in the Kerberos ticket cache !  Cool !

Unfortunately, this is considered unsecure, since once illegally obtained, these credentials can be used
to authenticate to any Kerberos protected endpoint.
The advice is to use 'Contrained Delegation'. So I tried that by changing the 'Delegation' to 
'Trust this computer for delegation to specified services only'.  With that, you have to choose at least
one service, so I added the 'host' service for the Linux machine account.
This removes the 'TRUSTED_FOR_DELEGATION' flag from the UserAccountControl attribute on the 
Linux machine account, and adds the 'msDS-AllowedToDelegateTo' attribute.

Problem now is that this will not give me a ticket in the Linux ticket cache after logging on to
the Linux server using Putty.  ( I clear the ticket cache first.. )

Any help would be appreciated !
Thanks 

0 Replies