Putty and Kerberos constrained delegation
Hi all, I'm struggling with Kerberos credential delegation... My environment is : - Windows Server 2012 - a Win10 workstation that is joined to the configured AD domain - a Fedora37 Linux server that is joined to the configured AD domain using SSSD - 'putty' version 0.78 64bit as a SSH client/terminal emulator running on Win10 I configured : - in 'putty' , I enabled 'Connection > SSH > Auth > GSSAPI > Allow GSSAPI credential delegation - in 'putty', I specified an AD accountname to login with in 'Connection > Data > Auto-login username' - SSO to the Fedora37 server : opening a connection using 'putty' logs me in without a password What I want : - logging on to Win10 with my AD useraccount gives me a kerberos ticket - after login to the Fedora37 server I want 'klist' show those credentials I got this to work using 'Unconstrained Delegation'.. Configuring SSSD for Windows SSO created an AD machine account for the linux server. Using the Active Directory tooling on the Windows Server, I can click the machine account's 'Delegation' tab and click 'Trust this computer for delegation to any server (Kerberos only)'. This effectively sets the 'TRUSTED_FOR_DELEGATION' flag in the UserAccountControl attribute for the Linux machine account. With this setting, I can use Putty to SSO into the Linux server using my AD useraccount, and 'klist' shows a forwardable ticket in the Kerberos ticket cache ! Cool ! Unfortunately, this is considered unsecure, since once illegally obtained, these credentials can be used to authenticate to any Kerberos protected endpoint. The advice is to use 'Contrained Delegation'. So I tried that by changing the 'Delegation' to 'Trust this computer for delegation to specified services only'. With that, you have to choose at least one service, so I added the 'host' service for the Linux machine account. This removes the 'TRUSTED_FOR_DELEGATION' flag from the UserAccountControl attribute on the Linux machine account, and adds the 'msDS-AllowedToDelegateTo' attribute. Problem now is that this will not give me a ticket in the Linux ticket cache after logging on to the Linux server using Putty. ( I clear the ticket cache first.. ) Any help would be appreciated ! Thanks