[krbdev.mit.edu #8479] Resource Based Constrained Delegation client support

Greg Hudson via RT rt-comment at krbdev.mit.edu
Wed Aug 17 11:09:20 EDT 2016


Windows Server 2012 added a feature called Resource Based Constrained 
Delegation, which allows delegation policy to be configured on the 
S4U2Proxy target's principal entry rather than the intermediate's, and 
allows the intermediate and target to be in different realms.

Some client support is apparently necessary to make this work.  We have 
received at least one request to implement these client changes; I am 
creating this ticket to track that request.  I have not done the research 
to understand the scope of the required client changes.

http://mailman.mit.edu/pipermail/kerberos/2016-July/021295.html
https://blog.kloud.com.au/2013/07/11/kerberos-constrained-delegation/
https://msdn.microsoft.com/en-us/library/cc246071.aspx



More information about the krb5-bugs mailing list