Kerberos, ActiveDirectory, S4U2proxy, Resource-based constrained delegation, ... - Begriffe

Work in progress. :-)

• MS-SFU
• MS-KILE
• MS-PAC
• PA-PAC-OPTIONS
• CNAME-IN-ADDL-TKT
• S4U2proxy
• S4U2self
• msDS-AllowedToDelegateTo
• msDS-AllowedToActOnBehalfOfOtherIdentity
• resource-based constrained delegation flag (PA-PAC-OPTIONS)
• GSSAPI

Abkürzungen

• PA: pre-authentication
• PAC: Privilege Attribute Certificate
• TGT: Ticket Granting Ticket
• TGS: Ticket Grating Server
• TKT: Ticket (???)
• S4U2self: Service for User to Self (für einen Service um ein Service-Ticket für einen User selbst abzufragen)
• S4U2proxy: Service for User to proxy (für constrained delegation und/oder resource-based-constrained delegation)

Links

• MS-SFU, 1.3.3 Protocol Overview
• MS-SFU, 2.2.5 PA-PAC-OPTIONS
• MS-KILE, 2.2.10 PA-PAC-OPTIONS
• MS-SFU, 2.2.3 CNAME-IN-ADDL-TKT
• MS-ADA2, M, 2.211 Attribute msDS-AllowedToDelegateTo
• MS-ADA2, M, 2.210 Attribute msDS-AllowedToActOnBehalfOfOtherIdentity
• FreeIPA, Ticket #5444 [RFE] Support Resource based kerberos constrained delegation