disallow requests naming principal as a service

[Sam Hartman]

>>>>> "John" == John Brezak <jbrezak at windows.microsoft.com> writes:

    John> Since the response is not authenticated, the client should
    John> not wholely depend on the KDC to guide its action.

    John> Ultimately, the client's policy should determine what action
    John> to take when the KDC is not able to provide a ticket for the
    John> requested service.  However, it would become very
    John> inefficient for the client to always try user2user if the
    John> KDC failed to return a service ticket.


My argument is that you shouldn't design a protocol that requires the
client to depend on the KDC.  By the time the client asks for a
Kerberos ticket it should already be committed to the non-u2u or U2U
protocol.

In the case of SASL or GSSAPI applications, the server should offer
the normal krb5 mechanism only when it has a service key, and a U2U
mechanism only when it has a TGT.