It is not unusual for our group to receive a question regarding Constrained Delegation and Protocol Transition. Even though the document ( MS-SFU ) does a great job in detailing the specification, not all implementers are familiar with the way in which Windows needs to be configured in order to be...

This blog post focuses on understanding how a server signature is verified in a Kerberos Privilege Account Certificate (PAC). A PAC contains two signatures: a server signature and a KDC signature. In a previous blog , I introduced PAC validation, whereby the server requests the KDC to verify the PAC...

Background The constrained delegation extension, also called S4Uproxy , is one of the Service for User (S4U) extensions to Kerberos protocol. It allows a service to obtain service tickets to a subset of other services on behalf of the user. The service can then present the tickets to the other service...

This blog post focuses on understanding Microsoft Kerberos PAC validation. It discusses the topic from inter-operability perspective with Windows operating systems. A SMB session establishment scenario is used to illustrate how PAC validation works. Background Impersonation enables a trusted...