[krbdev.mit.edu #8777] S4U2Self with X.509 certificate bugs

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[krbdev.mit.edu #8777] S4U2Self with X.509 certificate bugs

Greg Hudson via RT-2
One more issue I neglected to note:

* In the TGS part of a S4U2Self request, when multiple TGS requests are
required due to cross-realm, to be consistent with Windows clients,
only the first request should present the certificate; later requests
should present the client principal obtained from the PA-FOR-X509-USER
padata in the first TGS response.

I will also note here that, per Isaac's investigation, the Windows LSA
API will extract a UPN SAN from the client certificate and use that
enterprise principal in preference to the certificate.  To do the same
we would need certificate-parsing code or an OpenSSL dependency in the
S4U2Self code.
_______________________________________________
krb5-bugs mailing list
[hidden email]
https://mailman.mit.edu/mailman/listinfo/krb5-bugs