May 31 2023 03:55 AM
Hi all,
I'm struggling with Kerberos credential delegation...
My environment is :
- Windows Server 2012
- a Win10 workstation that is joined to the configured AD domain
- a Fedora37 Linux server that is joined to the configured AD domain using SSSD
- 'putty' version 0.78 64bit as a SSH client/terminal emulator running on Win10
I configured :
- in 'putty' , I enabled 'Connection > SSH > Auth > GSSAPI > Allow GSSAPI credential delegation
- in 'putty', I specified an AD accountname to login with in 'Connection > Data > Auto-login username'
- SSO to the Fedora37 server : opening a connection using 'putty' logs me in without a password
What I want :
- logging on to Win10 with my AD useraccount gives me a kerberos ticket
- after login to the Fedora37 server I want 'klist' show those credentials
I got this to work using 'Unconstrained Delegation'.. Configuring SSSD for Windows SSO created an
AD machine account for the linux server. Using the Active Directory tooling on the Windows Server,
I can click the machine account's 'Delegation' tab and click 'Trust this computer for delegation to any
server (Kerberos only)'. This effectively sets the 'TRUSTED_FOR_DELEGATION' flag in the UserAccountControl attribute for the Linux machine account.
With this setting, I can use Putty to SSO into the Linux server using my AD useraccount, and 'klist'
shows a forwardable ticket in the Kerberos ticket cache ! Cool !
Unfortunately, this is considered unsecure, since once illegally obtained, these credentials can be used
to authenticate to any Kerberos protected endpoint.
The advice is to use 'Contrained Delegation'. So I tried that by changing the 'Delegation' to
'Trust this computer for delegation to specified services only'. With that, you have to choose at least
one service, so I added the 'host' service for the Linux machine account.
This removes the 'TRUSTED_FOR_DELEGATION' flag from the UserAccountControl attribute on the
Linux machine account, and adds the 'msDS-AllowedToDelegateTo' attribute.
Problem now is that this will not give me a ticket in the Linux ticket cache after logging on to
the Linux server using Putty. ( I clear the ticket cache first.. )
Any help would be appreciated !
Thanks