Constrained Delegation with certificate and GSS API

Greg Hudson ghudson at
Wed May 6 00:46:21 EDT 2020

On 5/6/20 12:25 AM, Puran Chand wrote:> I was wondering if there is
similar API to perform same with
> user-certificate this time instead of UPN.
> I hope it should send a AS-REQ with  PA-DATA P4-S4U-X509-USER with
> certificate (with my limited knowledge).

There isn't yet.  Release 1.18 included a lot of work on the internals,
as well as a kvno option (-F), but we haven't added any API for this
operation yet.  There is a work-in-progress pull request from Isaac
Boukris here:

There may be alternative designs for the API; for instance, we could
perhaps instead define a new name type and use

More information about the krbdev mailing list