Windows KDC - Delegation Option
Christopher D. Clausen
cclausen at acm.org
Mon Feb 10 14:46:13 EST 2014
Try checking the "Account is sensitive and cannot be delegated" option
in the user properties and see if that does what you want. (I'm not
sure if it will or not, but I believe this is the option actually
intended to prevent Kerberos delegation.)
<<CDC
Vipul Mehta wrote, On 2/10/2014 12:50 AM:
> Hi,
>
> Scenario : User A forwards his credentials to User B. User B uses the
> forwarded credentials to interact with User C on behalf of user A.
> [Delegation]
>
> In windows KDC there is delegation option associated with user properties.
> I've set it to "Do not trust this user for delegation" for User B i.e. User
> B will not be able to use delegated credentials.
>
> In Windows SSPI API, it works fine and User B is not able to use delegated
> credentials.
>
> But the option doesn't seem to be having any impact in MIT Kerberos API in
> C++. User B is able to use A's forwarded credentials to establish security
> context with User C.
>
> Is this a problem from KDC side ? Any solution for this ?
>
More information about the Kerberos
mailing list