Constrained Delegation and PAC : Realm crossover
Rick van Rein
rick at openfortress.nl
Thu Oct 15 08:00:22 EDT 2015
Does anyone on this list have S4U2Proxy or "Constrained Delegation"
I know that the security is based on a PAC, but it is unclear where it
is enforced -- in the benevolent service, or in the KDC.
And, if it is the KDC, which one if client and service realms differ?
The client provides a Forwarded TGT along with the session key on it, so
I presume it is the client's KDC who applies policy (to avoid that a
webmail service uses more than imap and smtp backend services).
Don't worry about pointing me to specs (or sections therein) if I missed
the hints. Since I don't use Windows I'm already getting at this from
the "outside", reading specs, but it's not easy to see the whole picture.
More information about the Kerberos