Incorrect delegation state shown on acceptor side by context flags

Greg Hudson ghudson at MIT.EDU
Fri May 17 11:01:31 EDT 2013

On 05/17/2013 10:56 AM, Vipul Mehta wrote:
> So, on acceptor side, how do i know that initiator has delegated the
> credentials if i can't rely on context delegation flag ?

The GSSAPI doesn't distinguish between different kinds of credential
delegation.  But if you use GSS_C_ACCEPT rather than GSS_C_BOTH acceptor
credentials, then constrained delegation won't be used, and you will be
able to tell whether traditional Kerberos ticket forwarding was used.

> What about the java implementation of GSS ? Looks like there it works fine.

Does it support constrained delegation?  If it doesn't, then the
behavior difference isn't surprising.

More information about the Kerberos mailing list