On 02/10/2014 01:50 AM, Vipul Mehta wrote: > In windows KDC there is delegation option associated with user properties. > I've set it to "Do not trust this user for delegation" for User B i.e. User > B will not be able to use delegated credentials.
I believe this option affects the ok-as-delegate ticket flag, which was added in RFC 4120. Microsoft's Kerberos implementation honors this flag, but Unix implementations do not, as doing so would effectively disable all ticket forwarding in most Unix environments. MIT krb5 and Heimdal did add the GSS_C_DELEG_POLICY_FLAG flag so that applications can choose to delegate tickets only if the ok-as-delegate flag is set on the service ticket. But it's not clear when a Unix application would want to use that instead of GSS_C_DELEG_FLAG. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
