2

I have an Active Directory with a KDC running on Windows Server 2012.

At the moment, every user can request service tickets for every service from the TGS. I'm looking for a solution where the KDC only grants a service ticket for service X if the user is in group Y or something similiar.

Is that possible with Active Directory?

phXql
  • 21
  • 2
  • Keep in mind the difference between Authentication and Authorization. The Authentication process validates a user is who they claim to be. If you're developing something, you also need an separate Authorization process to determine if that user is authorized to perform a specific task or function. – Clayton Jun 17 '15 at 13:40

1 Answers1

0

yes, either remove the "allow to authenticate" (and add the specific group) permission or deny that permission as appropriate.

By default all users in the same domain have allow to authenticate.

Without “Allowed to Authenticate” permission to a target computer (or service account, depending on the service), the KDC will not issue a service ticket to that subject (user) for that service (SPN).

Jim B
  • 23,938
  • 4
  • 35
  • 58
  • 1
    Looks like this doesn't work with only one domain. I've added a managed service account called http and a user called user. I've created a SPN for the http account. In the security settings of http, i created a new entry for user and ticked the deny field for "allowed to authenticate". The KDC still issues ticket to user for http. – phXql Jun 17 '15 at 07:39
  • I'd have to get specifics on how you enabled the deny, but I can assure you that there is no Kerberos mechanism to grant an unauthenticated subject a service ticket – Jim B Jun 18 '15 at 19:44
  • @phxql - did you get the acl configured properly? – Jim B Jun 23 '15 at 04:15
  • Nope, had no luck. Tried several permissions on both subjects (http and user) but the KDC still issues tickets. – phXql Jun 23 '15 at 07:15
  • I can confirm for a Windows Server 2016 deployment that “Allowed to Authenticate” has no effect on the KDC’s willingness to issue a TGS. I believe this is by design considering ``[MS-KILE]`` (3.3.5.7 TGS Exchange) states that the ``Allowed-to-Authenticate`` right is only checked if the TGT contains the ``OTHER_ORGANIZATION`` SID. – phg May 29 '19 at 07:40