Multi-Hop Authentication and Constrained Delegation?

Greg Hudson ghudson at mit.edu
Wed May 22 23:41:08 EDT 2019


On 5/22/19 2:17 PM, Robert Wehn wrote:
> However we are lacking the information, of how to actually implement and
> use it on the application side.
> 
> How to implement constrained delegation in an application?

We have documentation on that at:
http://web.mit.edu/kerberos/krb5-latest/doc/appdev/gssapi.html#constrained-delegation-s4u

> Is there an open source application out there, where one could see and
> learn, how to implement constrained delegation?
> 
> Does Apache implement anything in that kind, one could build and rely on?

You may be able to use mod_auth_gssapi:
https://github.com/modauthgssapi/mod_auth_gssapi

The GssapiUseS4U2Proxy activates constrained delegation.


More information about the Kerberos mailing list