Constrained Delegation error "KDC policy rejects request"

John Byrne jhnbyrn at
Wed Feb 6 15:49:39 EST 2019


I've set up a KDC using LDAP as the backend (krb5 1.15.1 on CentOS 7), and
I'm trying to perform constrained delegation. However, I'm getting this
error from the KDC when the intermediate service calls the step() function
on the security context: "KDC policy rejects request"

Here's the KDC log:

Feb 06 15:39:35 localhost.localdomain krb5kdc[13310](info): TGS_REQ (8
etypes {18 17 20 19 16 23 25 26}) NOT_ALLOWED_TO_DELEGATE:
authtime 0,  HTTP/ at EXAMPLE.COM for HTTP/ at EXAMPLE.COM, KDC policy rejects request

I've set the "ok_to_auth_as_delegate" flag on the intermediate service
principal HTTP/, using kadmin.local (output of getprinc

Is there something else I need to do to allow this?


PS. here's the output of kadmin.local getprinc command for the intermediate
service principal:

kadmin.local:  getprinc HTTP/
Principal: HTTP/ at EXAMPLE.COM
Expiration date: [never]
Last password change: Wed Feb 06 14:58:41 EST 2019
Password expiration date: [never]
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 0 days 00:00:00
Last modified: Wed Feb 06 15:19:15 EST 2019 (root/admin at EXAMPLE.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 2
Key: vno 2, aes256-cts-hmac-sha1-96
Key: vno 2, aes128-cts-hmac-sha1-96
MKey: vno 1

More information about the Kerberos mailing list