Windows KDC - Delegation Option
Greg Hudson
ghudson at MIT.EDU
Mon Feb 10 15:51:51 EST 2014
On 02/10/2014 01:50 AM, Vipul Mehta wrote:
> In windows KDC there is delegation option associated with user properties.
> I've set it to "Do not trust this user for delegation" for User B i.e. User
> B will not be able to use delegated credentials.
I believe this option affects the ok-as-delegate ticket flag, which was
added in RFC 4120. Microsoft's Kerberos implementation honors this
flag, but Unix implementations do not, as doing so would effectively
disable all ticket forwarding in most Unix environments.
MIT krb5 and Heimdal did add the GSS_C_DELEG_POLICY_FLAG flag so that
applications can choose to delegate tickets only if the ok-as-delegate
flag is set on the service ticket. But it's not clear when a Unix
application would want to use that instead of GSS_C_DELEG_FLAG.
More information about the Kerberos
mailing list