Incorrect delegation state shown on acceptor side by context flags

Vipul Mehta vipulmehta.1989 at
Fri May 17 10:56:09 EDT 2013

So, on acceptor side, how do i know that initiator has delegated the
credentials if i can't rely on context delegation flag ?

What about the java implementation of GSS ? Looks like there it works fine.

On Fri, May 17, 2013 at 7:18 PM, Greg Hudson <ghudson at> wrote:

> On 05/17/2013 07:33 AM, Vipul Mehta wrote:
> > So, for case B, the above if() condition will be true and it will set the
> > context delegation flag to true on acceptor side though delegation flag
> is
> > false on initiator side.
> This is how our constrained delegation (S4U2Proxy) support works.  I
> don't see anything in RFC 2743 or RFC 2744 which requires the flag
> states to be identical on the initiator and acceptor context.


More information about the Kerberos mailing list