MS-FSU: A look from the Windows interface

  It is not unusual for our group to receive a question regarding Constrained Delegation and Protocol Transition. Even though the document (MS-SFU) does a great job in detailing the specification, not all implementers are familiar with the way in which Windows needs to be configured in order to be able to fulfill the requirements…


Verifying the server signature in Kerberos Privilege Account Certificate

This blog post focuses on understanding how a server signature is verified in a Kerberos Privilege Account Certificate (PAC). A PAC contains two signatures: a server signature and a KDC signature. In a previous blog, I introduced PAC validation, whereby the server requests the KDC to verify the PAC. In this blog, I will talk…


S4U_DELEGATION_INFO and Constrained Delegation

Background   The constrained delegation extension, also called S4Uproxy, is one of the Service for User (S4U) extensions to Kerberos protocol.   It allows a service to obtain service tickets to a subset of other services on behalf of the user.  The service can then present the tickets to the other service as if the user has…


Understanding Microsoft Kerberos PAC Validation

  This blog post focuses on understanding Microsoft Kerberos PAC validation. It discusses the topic from inter-operability perspective with Windows operating systems. A SMB session establishment scenario is used to illustrate how PAC validation works.   Background  Impersonation enables a trusted identity to act on behalf of another identity to perform an action. The trusted…