authentication indicators and S4U2Self

Greg Hudson ghudson at
Wed May 6 15:29:29 EDT 2020

On 5/6/20 2:20 PM, Alexander Bokovoy wrote:
> Together with Isaac we were looking into cross-realm S4U2Self
> implementation in FreeIPA and I noticed that MIT Kerberos does not allow
> to issue S4U2Self service ticket to a service protected with
> an authentication indicator.

I think we can just omit the indicator check for S4U2Self requests.
Restricting how strong the initial ticket acquisition must have been to
access a service has nothing to do with the service fetching tickets for

More information about the krbdev mailing list