S4U2Self and OpenJDK 8

Marc Boorshtein marc.boorshtein at tremolosecurity.com
Tue Dec 1 16:23:56 UTC 2015

Hmm, I think you are right.  Here's what the Microsoft docs say "The
S4U2proxy extension requires that the service ticket to the first
service has the forwardable flag set (see Service 1 in the figure
specifying Kerberos delegation with forwarded TGT, section 1.3.3).
This ticket can be obtained through an S4U2self protocol exchange.".
I'll followup with the folks at RedHat and FreeIPA.

Marc Boorshtein
CTO Tremolo Security
marc.boorshtein at tremolosecurity.com
(703) 828-4902

On Mon, Nov 30, 2015 at 10:01 PM, Wang Weijun <weijun.wang at oracle.com> wrote:
> It is my understanding that if the S4U2self ticket is not forwardable then it cannot be used in a S4U2proxy request. That's we just threw an exception. Am I wrong? Or you don't intend to use it this way?
> --Max

More information about the security-dev mailing list