Your understanding is correct but credential delegation requirements are API dependent instead of platform.
For Unix : Putty uses MIT Kerberos - GSS API. When you enable delegation in putty it requests GSS_C_DELEG_FLAG instead of GSS_C_DELEG_POLICY_FLAG which doesn't check ok_as_delegate_flag, hence there is no need to set delegation option in Active Directory for credential delegation. For Windows: Putty uses SSPI in my opinion which requires delegation option in Active Directory to be set for credential delegation as it checks ok_as_delegate_flag. This is all based on my understanding of Kerberos. Someone having more experience can please correct if i am wrong here. On Fri, Apr 25, 2014 at 11:40 PM, Ben H <bhen...@gmail.com> wrote: > From what I am reading here it would appear that this behavior is expected > as the Unix systems (MIT) will forward a ticket regardless of the > ok_as_delegate flag. IOW, Windows systems require the host to show > ok_as_delegate in order to forward a ticket, whereas Unix systems do not. > > > -- Regards, Vipul ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos