[EXTERNAL] Re: Kerberos Constrained Delegation and Credential Caching

Nebergall, Christopher cneberg at sandia.gov
Tue Mar 12 17:03:47 EDT 2013

Thank you I believe that will be very helpful but I'm unable to test because while I could get constrained delegation working with the t_s4u test program in 1.10.3 I can't get the test program to work with the same accounts in 1.11.1.    The test AD Server is windows 2008 R2 SP 1 in both cases.

./t_s4u p:testusr1 at TOPHERVILLE.COM p:host/testkcd2.topherville.com at TOPHERVILLE.COM /tmp/kcd_keytab_tv
Protocol transition tests follow

gss_acquire_cred_impersonate_name: Unspecified GSS failure.  Minor code may provide more information
gss_acquire_cred_impersonate_name: KDC has no support for padata type

-----Original Message-----
From: Greg Hudson [mailto:ghudson at MIT.EDU] 
Sent: Monday, March 11, 2013 10:44 PM
To: Nebergall, Christopher
Cc: kerberos at mit.edu
Subject: [EXTERNAL] Re: Kerberos Constrained Delegation and Credential Caching

On 03/11/2013 08:23 PM, Nebergall, Christopher wrote:
> Does anyone have any tips on copying the credentials created from Kerberos constrained delegation to a credentials cache file and back in again?

This is only possible with 1.11 or later.  We use the subject principal as the default ccache principal, and set a ccache config variable to remember the impersonating service principal.  More details at:


More information about the Kerberos mailing list