Constrained Delegation and PAC : Realm crossover

Rick van Rein rick at
Thu Oct 15 08:00:22 EDT 2015


Does anyone on this list have S4U2Proxy or "Constrained Delegation"

I know that the security is based on a PAC, but it is unclear where it
is enforced -- in the benevolent service, or in the KDC.

And, if it is the KDC, which one if client and service realms differ? 
The client provides a Forwarded TGT along with the session key on it, so
I presume it is the client's KDC who applies policy (to avoid that a
webmail service uses more than imap and smtp backend services).

Don't worry about pointing me to specs (or sections therein) if I missed
the hints.  Since I don't use Windows I'm already getting at this from
the "outside", reading specs, but it's not easy to see the whole picture.


More information about the Kerberos mailing list