AD-SIGNEDPATH and cross-realm
Sam Hartman
hartmans at MIT.EDU
Thu Feb 4 13:40:04 EST 2010
>>>>> "ghudson" == ghudson <ghudson at MIT.EDU> writes:
ghudson> * If AD-SIGNEDPATH is present in the ticket and checksum
ghudson> verification fails, we reject the TGS request even if we
ghudson> would have accepted the ticket without AD-SIGNEDPATH at all
ghudson> (i.e. it's not an S4U2Proxy request). I'm pretty sure we
ghudson> want to be more like Heimdal, and merely disallow the
ghudson> ticket as an S4U2Proxy subject ticket if verification
ghudson> fails. I am likely to make this change.
I think this is a really good change
More information about the krbdev
mailing list