英文:
Kerberos Resourced based constrained delegation in cross realm setup
问题
我尝试使用最新的JDK 8来执行基于资源的受限委派,似乎在获取S4U2Proxy调用的最后一步的服务票证时遇到了问题。
这是我的设置:
两个Microsoft AD Forest,启用了双向Forest身份验证。
- ForestA:forestA.com
- ForestB:forestB.com
- 前端服务位于ForestA,具有http/myappserver.forestA.com的SPN。
- 后端服务位于ForestB,具有http/backend.forestB.com的SPN。
- 被模拟的用户位于ForestB,用户名为userB。
我已经成功地利用了S4U2Self协议,并检索到了用于将用户B的服务票证传递到ForestA前端服务的服务票证。然而,在尝试使用S4U2Proxy获取传递到ForestB后端服务的服务票证时,请求失败,并显示Kerberos错误12。
在调查ForestB域控制器上的事件查看器中的审计日志时,它指示错误消息为0xC000019B(事件ID 4769),这似乎与一些通用信任设置问题有关。
如果以相同有效负载进行进一步请求,将从ForestB的域控制器返回Kerberos错误代码28。这可能是因为之前的Kerberos票证被缓存了吗?
更新:
如果前端服务和用户位于同一个Forest中,后端服务位于不同的Forest中,此设置将正常工作。
如果前端服务和后端服务位于一个Forest中,用户位于不同的Forest中,它也能正常工作。
英文:
I'm trying to use latest JDK 8 to perform resource based constrained delegation, and seems to be running into issues getting the service ticket for the last leg of the S4U2Proxy call.
Here is my setup:
Two microsoft AD forest with two way forest authentication enabled.
- ForestA: forestA.com
- ForestB: forestB.com
- Front end service is in ForestA with SPN of http/myappserver.forestA.com
- Back end service in ForestB with SPN of http/backend.forestB.com
- The user being impersonated is in ForestB with username of userB.
I've successfully utilized S4U2Self protocol and retrieved the service ticket for userB to Front end service in ForestA. However, when trying to utilized S4U2Proxy to get service ticket to back end service in ForestB, the request fails with error code kerberos error 12.
Upon investigating the audit logs from event Viewer on the domain controller of ForestB, it indicates the error message is 0xC000019B (Event Id 4769), which seems to be related to some generic trust setup issue.
Any further requests with the same payload with result in Kerberos error code 28 back from ForestB's domainController. Likely due to caching of kerberos ticket from before?
Update:
This setup works fine if the front end service and the user are in the same forest, and the back end service is in a different forest.
It also works when front end service and back end service are in one forest, and the user is in a different forest.
答案1
得分: 1
与微软讨论此事后,确认 Microsoft AD 在设计上不支持这种特定情况。具体来说,如果前端服务位于一个域中,而用户和资源服务位于不同的域中,则不支持这种用例。
希望这对将来遇到此问题的人有所帮助。
英文:
After discussing the matter with Microsoft, it was confirmed that this specific case is not supported by Microsoft AD by design. Specifically if front end service is in one forest, and the user and resource service are in a different forest, then this use case is not supported.
Hopefully this helps for someone that encounter this issue in the future.
答案2
得分: 0
错误代码12是KDC_ERR_POLICY。
我也遇到了相同的问题,在那种情况下,中间层是Linux,在Ubuntu 18.04 LTS上作为反向代理运行Apache2。
MIT在2021年实现了基于资源的受限委托协议,使用Kerberos V.5 1.19。
这是继Microsoft在2012年扩展Kerberos协议后的9年。
解决方案是升级到附带Kerberos 1.19的Ubuntu 22.04 LTS,然后问题就解决了。
我通过在Azure云中创建一个Forest,2个DC,SQL,中间层,IIS服务器和用户笔记本电脑,发现了问题。
通过在DC中使用网络监视器进行检查,我可以看到票据在IIS和Apache2之间是如何不同地交换的。然后我浏览了MIT的发布说明,看到了他们在1.19中宣布的基于资源的受限委托功能。
英文:
Errorcode 12 is KDC_ERR_POLICY
I experienced the same, where the midtier was Linux, running Apache2 as reverse proxy, on Ubuntu 18.04 LTS.
MIT implemented resource-based constrained delegation protocol in 2021, with Kerberos V.5 1.19.
9 years after Microsoft extended the Kerberos protocol in 2012.
The solution was to upgrade to Ubuntu 22.04 LTS, which come with Kerberos 1.19. Then it worked.
I found out by creating a Forest, 2x DC, SQL, mid-tier, IIS server and user laptop in Azure cloud.
By inspection with Network Monitor in DC, I could see how Tickets was interchange differently, comparing IIS and Apache2. Then I travelled through MIT release notes and saw their announcement for Resource-Based Constrained Delegation in 1.19.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论