Constrained Delegation error "KDC policy rejects request"

John Byrne jhnbyrn at
Wed Feb 6 21:20:49 EST 2019

I figured it out, and it's working for me now.

For anyone else who's having this issue, there are 2 separate things you
have to set up to allow an intermediate service to impersonate a user:

* the ok_to_auth_as_delegate flag (in kadmin)
* an access control list in ldap.

I wasn't sure if editing ldap directly was the best thing to do, but I
didn't know of any alternative, so I created an ldif file like this:

dn: krbPrincipalName=HTTP/ at EXAMPLE.COM,cn=EXAMPLE.COM
changetype: modify
add: krbAllowedToDelegateTo
krbAllowedToDelegateTo: HTTP/

You might be able to guess your appropriate ldap dn name based on that
format, but I just found it by doing a search with ldapsearch for my top
level entry, dc=example,dc=com.

After adding the above ldif with ldapmodify, constrained delegation now
works nicely and I can turn it on and off for that intermediate service via
kadmin, using the ok_to_auth_as_delegate flag.

Thanks again to everyone who replied to my other threads on this!



On Wed, Feb 6, 2019 at 3:49 PM John Byrne <jhnbyrn at> wrote:

> Hi,
> I've set up a KDC using LDAP as the backend (krb5 1.15.1 on CentOS 7), and
> I'm trying to perform constrained delegation. However, I'm getting this
> error from the KDC when the intermediate service calls the step() function
> on the security context: "KDC policy rejects request"
> Here's the KDC log:
> Feb 06 15:39:35 localhost.localdomain krb5kdc[13310](info): TGS_REQ (8
> etypes {18 17 20 19 16 23 25 26}) NOT_ALLOWED_TO_DELEGATE:
> authtime 0,  HTTP/ at EXAMPLE.COM for HTTP/
> at EXAMPLE.COM, KDC policy rejects request
> I've set the "ok_to_auth_as_delegate" flag on the intermediate service
> principal HTTP/, using kadmin.local (output of getprinc
> below).
> Is there something else I need to do to allow this?
> Thanks,
> John
> PS. here's the output of kadmin.local getprinc command for the
> intermediate service principal:
> kadmin.local:  getprinc HTTP/
> Principal: HTTP/ at EXAMPLE.COM
> Expiration date: [never]
> Last password change: Wed Feb 06 14:58:41 EST 2019
> Password expiration date: [never]
> Maximum ticket life: 1 day 00:00:00
> Maximum renewable life: 0 days 00:00:00
> Last modified: Wed Feb 06 15:19:15 EST 2019 (root/admin at EXAMPLE.COM)
> Last successful authentication: [never]
> Last failed authentication: [never]
> Failed password attempts: 0
> Number of keys: 2
> Key: vno 2, aes256-cts-hmac-sha1-96
> Key: vno 2, aes128-cts-hmac-sha1-96
> MKey: vno 1

More information about the Kerberos mailing list