Delegation or Explicit Credentials for Web Service?

Michael B Allen mba2000 at ioplex.com
Thu May 25 23:15:18 EDT 2006


On Thu, 25 May 2006 22:13:32 -0400
Michael B Allen <mba2000 at ioplex.com> wrote:

> failing with KRB5KDC_ERR_BADOPTION. From looking at an Ethereal trace
> I can see the only option set is 'forwarded' (NOT 'forwardable'). The
> KDC is W2K3.

Actually I don't know what I was looking at before but now I'm seeing
both 'forwardable' and 'forwarded' set on and the W2K3 KDC is failing
with KRB5KDC_ERR_BADOPTION.

If I hack the Heimdal source to only send 'forwardable' the TGS request
succeeds but the HTTP request fails with '401 Access is denied due to
invalid credentials'.

Mike



More information about the Kerberos mailing list