About proxy_impersonator

Weijun Wang weijun.wang at oracle.com
Thu Feb 14 20:24:33 EST 2019

I read the following from https://web.mit.edu/kerberos/krb5-devel/doc/formats/ccache_file_format.html:


   The presence of this key indicates that the cache is a synthetic delegated credential
   for use with S4U2Proxy. The value is the name of the intermediate service whose TGT
   can be used to make S4U2Proxy requests for target services. This key is not associated
   with any principal.

I wonder what we (Java, as another krb5 vendor) should do when this entry appears in a ccache file. Should this ccache always belong to an intermediate server that works as both an initiator and an acceptor? If the entry is there, does it mean the it should always use S4U2Proxy to request for a ticket to a backend server on behalf of a client and should never request for itself?

A ccache file is meant for sharing between processes. Who wrote this flag and who should use it?


More information about the krbdev mailing list