delegation from a MIT win98 client to Active Directory

Mads Rasmussen mads at
Thu Nov 25 07:57:22 EST 2004

Jeffrey Altman wrote:
> Please explain what it is you are attempting to achieve.
> A client delegates by forwarding either a TGT or a proxy
> ticket to the service.  This operation is performed by
> the application communicating with the service.
> Forwarding tickets is supported by MIT Kerberos for Windows.
> Jeffrey Altman

Sure Jeffrey,

We would like to make the "double-hop" work on a Windows 98 client. To 
make this more clear:

- A domain with a AD server and Kerberos tickets used for authentication
- a Windows 98 station navigating the web through IE
- Accessing a page in an IIS server
- The page retrieves data in a SQL OLAP server.

The double-hop means that the OLAP server will be able to get the right 
user information and, securely, release the information for that user.

This scenario works for a Windows 2000 client but not for Windows 98.
We would like to make it work, if possible

We have tried installing a MIT Kerberos client on the Windows98 but we 
couldn't make it work, might be configuration problems though.

During some research we suspect that there is a "delegation flag" that 
the MIT client doesn't set.
After the logon all other communication (ticket requesting and granting) 
should happen between the AD and the SQL Server.

Any thoughts that might help us see the light?


Mads Rasmussen
Open Communications Security

More information about the Kerberos mailing list