Query regarding S4U2Self protocol extension

Isaac Boukris iboukris at gmail.com
Tue Jul 27 09:36:23 EDT 2021

Note, for MIT I think we don't need the NonForwardableDelegation flag,
just need to behave as enabled and let the plugin's get_principal()
add 'TrustedToAuthForDelegation' if the list is empty. This could
simplify the KDC code as we don't need to check the PAC's
not-delegated flag, although some tests would need updating.

More information about the Kerberos mailing list