Hello I'm actually building a solution with Kerberos constrained delegation. Below you can find a brief overview about my setup:
Front-end server: Linux with krb5-libs-1.10.3-42 Back-end sever: Windows 2012 R2 with IIS 8.5 Domain Controller: Windows 2012 R2 Domain: abc.com System account (used on Front-end server to request a Kerberos ticket on behalf of an user for Back-end server): abc.com\systemacc User: abc.com\testuser SPN (on Back-end server): http/myiis.abc.com As long as the system account is permitted the "old way" (not resource based Kerberos constrained delegation), my setup works fine. With Windows 2012 Microsoft has introduced Resource based Kerberos constrained delegation (see: https://technet.microsoft.com/en-us/library/hh831477.aspx#BKMK_kerb_const_ del_domains) My test results are that Kerberos constrained delegation doesn't work if the authorization decision is configured on the resource-owner (Resource based KCD). No matter whether all users and SPN are in the same Windows domain or not (cross domain KCD). The requirements (see technet-link above) says that Front-end server must run Windows 2012 server. My Front-end server is a Linux server with krb5-libs ;-). That's why I have a few questions: - Is there really a dependency, that krb5-libs must support RBKCD (Resource based Kerberos constrained delegation)? - Does krb5-libs support RBKCD? - If not now, are there any plans to support that? - If it is already supported, which version is required and what has to be considered? Thanks Stefan ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos