Constrained Delegation and PAC : Realm crossover

Rick van Rein rick at
Tue Oct 20 04:54:45 EDT 2015

Hi Simo,

> I guess I need to ask you for a detailed example of a transaction to
> understand what you are aiming to.

Gladly, thanks :)

An example of use I have in mind is a party owning a domain name, based on externally hosted components from online providers, all secured and linked together through Kerberos.  The domain name may provide basic mechanisms such as web, IMAP and SMTP.  The domain's KDC is either included in the domain package or taken in from an externally hosted service, or perhaps this is the one component hosted under own control (maybe using a dedicated Raspberry Pi distribution).

To assert his online identity, the domain owner can take in externally hosted services like XMPP and SIP.  And a Kerberos-protected WebMail may be taken in because of its user interface.  This WebMail service is interesting, because it requires access to IMAP and SMTP.  Since this WebMail is an external service, it should not be permitted more access than what it needs to function though.

I am wondering if constrained delegation can help the domain's clients to safely use the external WebMail service, with constrained delegation to limit the access from WebMail to IMAP and SMTP and nothing more.

Sorry if I'm not very good at reverse-engineering the security architecture from the MS-SFU, -KILE and -PAC documentation.  I also didn't find a HOWTO-styled instruction for this facility with an open source Kerberos.


More information about the Kerberos mailing list