Incorrect delegation state shown on acceptor side by context flags
Greg Hudson
ghudson at MIT.EDU
Fri May 17 11:01:31 EDT 2013
On 05/17/2013 10:56 AM, Vipul Mehta wrote:
> So, on acceptor side, how do i know that initiator has delegated the
> credentials if i can't rely on context delegation flag ?
The GSSAPI doesn't distinguish between different kinds of credential
delegation. But if you use GSS_C_ACCEPT rather than GSS_C_BOTH acceptor
credentials, then constrained delegation won't be used, and you will be
able to tell whether traditional Kerberos ticket forwarding was used.
> What about the java implementation of GSS ? Looks like there it works fine.
Does it support constrained delegation? If it doesn't, then the
behavior difference isn't surprising.
More information about the Kerberos
mailing list