Why doesn't krb5_get_credentials_for_user return an error even if the ticket received is not FORWARDABLE?
Greg Hudson
ghudson at MIT.EDU
Wed Jul 11 00:24:14 EDT 2012
On 07/10/2012 11:48 PM, Weijun Wang wrote:
> My question is: is this ticket useful for any other purpose? If not, why
> doesn't krb5_get_credentials_for_user return an error at the beginning?
It can be useful for examining the authorization data in the ticket
(like a PAC), if the KDC is capable of putting one in there.
See also:
http://msdn.microsoft.com/en-us/library/ff634450(v=prot.13)
More information about the Kerberos
mailing list