[External] : Re: Windows Credential Guard with MSLSA

Ken Hornstein kenh at cmf.nrl.navy.mil
Wed Sep 6 19:17:14 EDT 2023

>The code I am looking at is not having a GSSAPI implementation.  Is
>there an alternative to GSSAPI implementation to implement constrained
>delegation using Linux MIT Libraries?

As I understand it, it's not just a matter of using the GSSAPI, your
client-server PROTOCOL also needs to be using the GSSAPI AND the service
needs to be expecting the constrained delegation request and do the
appropriate magic.

If you have a native Kerberos application that is expecting a forwarded
ticket, well ... it's going to require some protocol rework at a bare
minimum.  It might be possible to do SOME of this using the native krb5
API; kvno, for example, has a '-P' option that does some of the client
piece but it's not clear to me what the application server needs to do
after receving the constrained delegation information (I did read
the GSSAPI documentation, but like nearly all of the GSSAPI documentation
I've ever read it's clear as mud).


More information about the krbdev mailing list