On Wed, 2010-02-24 at 19:16 -0500, Marcus Watts wrote: > Is there a draft that describes > AD-SIGNEDPATH > ? AD-SIGNEDPATH serves mainly to prove that tickets came from the KDC and weren't printed by an application server. This is important for S4U2Proxy. (Still looking over the rest of your mail, of course.)