Constraint delegation support ( Microsoft extensions )

Luke Howard lukeh at
Tue Jan 6 00:23:42 EST 2009

On 06/01/2009, at 3:49 PM, JC Ferguson wrote:

> Are there any technical/design documents describing what has been  
> done to-date?

There is some background at:

It was implemented some years ago from the above article, although  
Microsoft have recently published more detailed protocol documentation  
in [MS-SFU].

A quick summary is: an intermediary service does a TGS-REQ to the  
target service, presenting the client's ticket to itself in the  
additional tickets field and setting KDC_OPT_CNAME_IN_ADDL_TKT. The  
client ticket must be forwardable and the target service must be  
listed in the "allowed to delegate to" property of the intermediary  
service (this is exposed via KRB5_TL_CONSTRAINED_DELEGATION_ACL).

The returned ticket identifies the client to the target service.

> Are there plans for the client library?  Are there any technical  
> documents for this available?

Client library would be good to have, but there are no plans I'm aware  
of right now. Certainly, some thought would be necessary as to whether  
the existing delegation abstractions in GSS-API could be used, and  
what the API should look like at the krb5 layer.

-- Luke

More information about the krbdev mailing list