79551179

Date: 2025-04-02 17:21:37
Score: 1
Natty:
Report link

How many tickets are where ? How can I check ?

There is always one ticket (the service ticket) under ap-req > ticket. It's sent in the clear, but always paired with a one-time authenticator (aka checksum) that proves the client knows the session key.

When delegation is enabled, the second ticket (delegated) is stored within that authenticator, under ap-req > authenticator > cipher > authenticator > cksum > krb-cred.

How many tickers are in request ?

Impossible to tell from the screenshot.

if there are 2: please point me out to them. And how to accept them on server side ?

It should be automatically stored as part of the server's (acceptor's) GSSContext. That seems to be happening here and here.

if there is 1: How should I add one more ticket ?

In HTTP, at least as far as I understand it, the client needs to perform delegation proactively (since only one step is possible for GSSAPI so the server can't request it).

  1. The client's klist needs to show a TGT that is forwardable.

    Also, the user principal needs to not have any KDC-side restrictions. For example, Domain Admins on Windows might have the "This account is sensitive and cannot be delegated" flag set on them.

  2. If the HTTP service ticket happens to be cached in klist, then it should show the ok_as_delegate flag, corresponding to "Trust this user for delegation[...]".

    Windows and some other clients require that flag (treating it as admin-set policy), other clients ignore that flag and always delegate if configured; e.g. a Java client could use requestDelegPolicy().

  3. The HTTP client needs to be configured to do delegation.

    In Firefox, network.negotiate-auth.delegation-uris would be set to https:// for example or to .example.com (or a combination) to make the browser initiate delegation. (Make sure you don't make the 'delegation' list too broad; it should only allow a few specific hosts.)

    With curl you would specify curl --negotiate --delegation always (doesn't work for me on Windows, but does work on Linux).

    If you were making a custom HTTP client in Java, I think you would call .requestCredDeleg(true) on the GSSContext object before getting a token.

Reasons:
  • Blacklisted phrase (0.5): How can I
  • Blacklisted phrase (1): How should I
  • RegEx Blacklisted phrase (2): doesn't work for me
  • Long answer (-1):
  • Has code block (-0.5):
  • Contains question mark (0.5):
  • Starts with a question (0.5): How
  • High reputation (-2):
Posted by: grawity_u1686