2.6. Forwardable Tickets

Overview

Authentication forwarding is an instance of a proxy where the service that is granted is complete use of the client's identity. An example is when a user logs in to a remote system and wants authentication to work from that system as if the login were local.

FORWARDABLE Flag

The FORWARDABLE flag in a ticket:

Is normally only interpreted by the ticket-granting service
Can be ignored by application servers
Has interpretation similar to PROXIABLE flag, except TGTs may also be issued with different network addresses
Is reset by default
Users MAY request it be set by setting the FORWARDABLE option in the AS request when requesting initial TGT

Benefits

Allows for authentication forwarding without requiring the user to enter a password again
If flag is not set, authentication forwarding is not permitted
Same result can still be achieved if user engages in AS exchange, specifies requested network addresses, and supplies a password

FORWARDED Flag

The FORWARDED flag:

Is set by the TGS when client presents a ticket with FORWARDABLE flag set
Requires client to request forwarded ticket by specifying FORWARDED KDC option
Client must supply a set of addresses for the new ticket
Is also set in all tickets issued based on tickets with the FORWARDED flag set
Application servers may choose to process FORWARDED tickets differently than non-FORWARDED tickets

Best Practice for Addressless Tickets

If addressless tickets are forwarded from one system to another, clients SHOULD still use this option to obtain a new TGT in order to have different session keys on the different systems.

Reference

For complete technical details, refer to RFC 4120 Section 2.6.

Overview​

FORWARDABLE Flag​

Benefits​

FORWARDED Flag​

Best Practice for Addressless Tickets​

Reference​