Services4User review

Nicolas Williams Nicolas.Williams at
Mon Aug 24 01:24:58 EDT 2009

On Sat, Aug 22, 2009 at 01:20:41PM +0200, Luke Howard wrote:
> And the really cool thing is that the application developer does not  
> have to use any new APIs to use constrained delegation (and only one  
> to use protocol transition). The API is exactly the same as it is for  
> "unconstrained" delegation.

Indeed, and it will work for both S4U2{Self, Proxy}.  Of course, there
are also new APIs that can be used, but they may well be unnecessary to
the point that you can just not bother with them.

To get gss_store_cred() to store such creds though will require ccache
extensions and krb5_get_credentials() work.  But that's another story.
And it will likely not be necessary for a while (plus, MIT krb5 doesn't
have gss_store_cred()).

> (Of course, whether constrained delegation will be successful is  
> subject to the policy of the KDC.)

Of course.

More information about the krbdev mailing list