about protocol transition and constraint delegation

Greg Hudson ghudson at MIT.EDU
Thu Jan 10 15:55:23 EST 2013

On 01/10/2013 02:09 PM, Wu, James C. wrote:
> 1.       For protocols transition and constrained delegation, let's says user A authentication to service B with credentials other than Kerberos and service B can request Kerberos ticket to itself for user A from KDC using the protocol transition. Does this require that user A is a principal in the KDC?
> 2.       For Kerberos impersonation, let's say principal A want to impersonate as user B. Does this also require user B exists in the Kerberos KDC as a principal?

I believe the answers are yes and yes, for all current implementations
of S4U2Self and S4U2Proxy.

More information about the krbdev mailing list