inspecting krb5 ticket in GSSAPI

[Frank Cusack]

If I want my GSSAPI server application to inspect the kerberos
ticket flags, is there a way to do this?

It looks like I would just take the token the client sent, verify
the mechanism and then *do something* to extract the krb5 ticket.
Then I could create a krb5 context and look at the flags.

What I'd like to do is have the GSSAPI server verify that the hwauth
flag is set.  Or is it better to set the require_hwauth flag on the
server principal in the KDC?  That means my app can't directly enforce
it, so not ideal but it would be ok.  (Does that flag work that way?)