Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-8814: Non-forwardable Kerberos Ticket is Generated With Trust Delegation Enabled

Authentication Service ,  

13 June,17 at 08:19 PM

Question:
 
A non-forwardable kerberos TGT (Ticket Granting Ticket) is generated on login even when the host machine is trusted for kerberos delegation.

On a windows machine the TGT looks like this:
  
User-added image
  
On a Linux machine, after running the command 
 
# kinit -f
 
the TGT looks like this:
  
User-added image
 
Answer:
  
The user account has the account flag enabled "Account is sensitive and cannot be delegated"
 
User-added image

This prevents the TGT from being forwardable.  The TGT will still be valid for one SSO (Single Sign On) hop, but it will prevent nested SSO hops.