Windows KDC - Delegation Option

Christopher D. Clausen cclausen at acm.org
Mon Feb 10 14:46:13 EST 2014


Try checking the "Account is sensitive and cannot be delegated" option 
in the user properties and see if that does what you want.  (I'm not 
sure if it will or not, but I believe this is the option actually 
intended to prevent Kerberos delegation.)

<<CDC

Vipul Mehta wrote, On 2/10/2014 12:50 AM:
> Hi,
>
> Scenario : User A forwards his credentials to User B. User B uses the
> forwarded credentials to interact with User C on behalf of user A.
> [Delegation]
>
> In windows KDC there is delegation option associated with user properties.
> I've set it to "Do not trust this user for delegation" for User B i.e. User
> B will not be able to use delegated credentials.
>
> In Windows SSPI API, it works fine and User B is not able to use delegated
> credentials.
>
> But the option doesn't seem to be having any impact in MIT Kerberos API in
> C++. User B is able to use A's forwarded credentials to establish security
> context with User C.
>
> Is this a problem from KDC side ? Any solution for this ?
>


More information about the Kerberos mailing list