[krbdev.mit.edu #9136] S4U2Proxy API error

[Greg Hudson via RT]

<URL: http://kerborg-prod-app-1.mit.edu/rt/Ticket/Display.html?id=9136 >

The S4U2Proxy code has been tested against Active Directory and the MIT krb5
KDC.  Typically S4U2Proxy operations are initiated via the GSSAPI, however;
see https://web.mit.edu/kerberos/krb5-latest/doc/appdev/gssapi.html#
constrained-delegation-s4u and the test program t_s4u.c.

The protocol error code corresponding to "KDC can't fulfill requested option"
can have a variety of causes.  One that immediately comes to mind is using a
non-forwardable evidence ticket, but there are many others.  It's possible
that KDC logs could provide more information, but I am not very familiar with
Active Directory's logging.

As a note, MIT krb5 is an open source project and does not have an SLA with
any other organization.  We cannot guarantee any specific response time for
bug reports or promise that they will be resolved.