Windows KDC - Delegation Option

Vipul Mehta vipulmehta.1989 at gmail.com
Tue Feb 11 08:30:42 EST 2014


@Christopher : I know about that option. I don't want to disable delegation
but i want to know the correct behaviour of MIT Kerberos with KDC Option i
specified.

@Greg, now it's clear to me.
Checked the code also. So, if initiator has requested GSS_C_DELEG_FLAG,
then delegation will always be done and value of "ok-as-delegate" flag in
service ticket does not matter in that case. Value of "ok-as-delegate" flag
is important when initiator has not requested GSS_C_DELEG_FLAG but has
requested GSS_C_DELEG_POLICY_FLAG.

On Tue, Feb 11, 2014 at 2:21 AM, Greg Hudson <ghudson at mit.edu> wrote:

> I believe this option affects the ok-as-delegate ticket flag, which was
> added in RFC 4120.  Microsoft's Kerberos implementation honors this
> flag, but Unix implementations do not, as doing so would effectively
> disable all ticket forwarding in most Unix environments.
>
> MIT krb5 and Heimdal did add the GSS_C_DELEG_POLICY_FLAG flag so that
> applications can choose to delegate tickets only if the ok-as-delegate
> flag is set on the service ticket.  But it's not clear when a Unix
> application would want to use that instead of GSS_C_DELEG_FLAG.
>



-- 
Regards,
Vipul


More information about the Kerberos mailing list