hartmans at MIT.EDU
Mon May 17 16:56:58 EDT 2004
>>>>> "Derek" == Derek Atkins <warlord at MIT.EDU> writes:
Derek> True, but the destination KDC does get to enforce it (as
Derek> you suggest later).
And should not do so. The destination kdc should leave the policy
checked flag clear and the application server should reject.
I realize our code does not currently do this. That's because of a
bug in previous versions of our code. The 1.4 code base should be more liberal at the KDC layer.
More information about the krbdev