On Tue, Apr 16, 2024 at 9:31 PM Ken Hornstein wrote:
> Simo already explained the thinking there, but I think the thing
> you're not considering is that not all services require delegated
> credentials. Yes, in your environment (and ours) delegated
> credentials for host principals is essential,
On Tue, Apr 16, 2024 at 1:46 PM Simo Sorce wrote:
> The correct action is for you to ask the Domain Administrators to
> mark the target hosts as ok for delegation, it is unclear why MIT
> Kerberos should make it easy to override Realm policies.
I think the core issue here is that RFC4120§2.8 was