Hi Simo / others,
>>> What I'm left wondering is, if the client's KDC knows what delegations
>>> are permitted, as is the case with FreeIPA, is it not simpler to pass on
>>> the additional tickets for smtp/ and imap/ in an AD structure in the
>>> webmail ticket?
>> This is a potential
Hi Simo,
> I guess I need to ask you for a detailed example of a transaction to
> understand what you are aiming to.
Gladly, thanks :)
An example of use I have in mind is a party owning a domain name, based on
externally hosted components from online providers, all secured and linked
together
Hi,
> There are 2 different approaches for Constrained Delegation, one where
> Access control is applied at the KDC level, and one that relies on the
> receiving service to apply access control.
>
> When using an MS-PAC you have an AD element that tells you whether the
> ticket is the result of
On 20/10/15 05:03, Rick van Rein wrote:
> Hi,
>
>
>> There are 2 different approaches for Constrained Delegation, one where
>> Access control is applied at the KDC level, and one that relies on the
>> receiving service to apply access control.
>>
>> When using an MS-PAC you have an AD element that
Hi,
>> What I'm left wondering is, if the client's KDC knows what delegations
>> are permitted, as is the case with FreeIPA, is it not simpler to pass on
>> the additional tickets for smtp/ and imap/ in an AD structure in the
>> webmail ticket?
>
> This is a potential optimization I have been
Hi Simo / others,
Thanks for your reply. I found KILE and PAC from SFU, but am having a
hard time figuring out what goes where, and whose responsibilities lie
where. That's not really obvious from these specs :-S
>> I know that the security is based on a PAC, but it is unclear where it
>> is
On 18/10/15 04:44, Rick van Rein wrote:
> Hi Simo / others,
>
> Thanks for your reply. I found KILE and PAC from SFU, but am having a
> hard time figuring out what goes where, and whose responsibilities lie
> where. That's not really obvious from these specs :-S
>
>>> I know that the security is
Hello,
Does anyone on this list have S4U2Proxy or "Constrained Delegation"
experience?
I know that the security is based on a PAC, but it is unclear where it
is enforced -- in the benevolent service, or in the KDC.
And, if it is the KDC, which one if client and service realms differ?
The
On 15/10/15 08:00, Rick van Rein wrote:
> Hello,
>
> Does anyone on this list have S4U2Proxy or "Constrained Delegation"
> experience?
Yes
> I know that the security is based on a PAC, but it is unclear where it
> is enforced -- in the benevolent service, or in the KDC.
Can be either, however