Constrained Delegation error "KDC policy rejects request"

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Constrained Delegation error "KDC policy rejects request"

John Byrne
Hi,

I've set up a KDC using LDAP as the backend (krb5 1.15.1 on CentOS 7), and
I'm trying to perform constrained delegation. However, I'm getting this
error from the KDC when the intermediate service calls the step() function
on the security context: "KDC policy rejects request"

Here's the KDC log:

Feb 06 15:39:35 localhost.localdomain krb5kdc[13310](info): TGS_REQ (8
etypes {18 17 20 19 16 23 25 26}) 192.168.0.22: NOT_ALLOWED_TO_DELEGATE:
authtime 0,  HTTP/[hidden email] for HTTP/
[hidden email], KDC policy rejects request

I've set the "ok_to_auth_as_delegate" flag on the intermediate service
principal HTTP/www.example.com, using kadmin.local (output of getprinc
below).

Is there something else I need to do to allow this?

Thanks,
John

PS. here's the output of kadmin.local getprinc command for the intermediate
service principal:

kadmin.local:  getprinc HTTP/www.example.com
Principal: HTTP/[hidden email]
Expiration date: [never]
Last password change: Wed Feb 06 14:58:41 EST 2019
Password expiration date: [never]
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 0 days 00:00:00
Last modified: Wed Feb 06 15:19:15 EST 2019 (root/[hidden email])
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 2
Key: vno 2, aes256-cts-hmac-sha1-96
Key: vno 2, aes128-cts-hmac-sha1-96
MKey: vno 1
Attributes: OK_TO_AUTH_AS_DELEGATE
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Constrained Delegation error "KDC policy rejects request"

John Byrne
I figured it out, and it's working for me now.

For anyone else who's having this issue, there are 2 separate things you
have to set up to allow an intermediate service to impersonate a user:

* the ok_to_auth_as_delegate flag (in kadmin)
* an access control list in ldap.

I wasn't sure if editing ldap directly was the best thing to do, but I
didn't know of any alternative, so I created an ldif file like this:

dn: krbPrincipalName=HTTP/[hidden email],cn=EXAMPLE.COM
,cn=krbContainer,dc=example,dc=com
changetype: modify
add: krbAllowedToDelegateTo
krbAllowedToDelegateTo: HTTP/datastore.example.com

You might be able to guess your appropriate ldap dn name based on that
format, but I just found it by doing a search with ldapsearch for my top
level entry, dc=example,dc=com.

After adding the above ldif with ldapmodify, constrained delegation now
works nicely and I can turn it on and off for that intermediate service via
kadmin, using the ok_to_auth_as_delegate flag.

Thanks again to everyone who replied to my other threads on this!

References:
http://kerberos.996246.n3.nabble.com/ACL-for-Constrained-Delegation-td39665.html

-John





On Wed, Feb 6, 2019 at 3:49 PM John Byrne <[hidden email]> wrote:

> Hi,
>
> I've set up a KDC using LDAP as the backend (krb5 1.15.1 on CentOS 7), and
> I'm trying to perform constrained delegation. However, I'm getting this
> error from the KDC when the intermediate service calls the step() function
> on the security context: "KDC policy rejects request"
>
> Here's the KDC log:
>
> Feb 06 15:39:35 localhost.localdomain krb5kdc[13310](info): TGS_REQ (8
> etypes {18 17 20 19 16 23 25 26}) 192.168.0.22: NOT_ALLOWED_TO_DELEGATE:
> authtime 0,  HTTP/[hidden email] for HTTP/
> [hidden email], KDC policy rejects request
>
> I've set the "ok_to_auth_as_delegate" flag on the intermediate service
> principal HTTP/www.example.com, using kadmin.local (output of getprinc
> below).
>
> Is there something else I need to do to allow this?
>
> Thanks,
> John
>
> PS. here's the output of kadmin.local getprinc command for the
> intermediate service principal:
>
> kadmin.local:  getprinc HTTP/www.example.com
> Principal: HTTP/[hidden email]
> Expiration date: [never]
> Last password change: Wed Feb 06 14:58:41 EST 2019
> Password expiration date: [never]
> Maximum ticket life: 1 day 00:00:00
> Maximum renewable life: 0 days 00:00:00
> Last modified: Wed Feb 06 15:19:15 EST 2019 (root/[hidden email])
> Last successful authentication: [never]
> Last failed authentication: [never]
> Failed password attempts: 0
> Number of keys: 2
> Key: vno 2, aes256-cts-hmac-sha1-96
> Key: vno 2, aes128-cts-hmac-sha1-96
> MKey: vno 1
> Attributes: OK_TO_AUTH_AS_DELEGATE
>
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos