[37254] in Kerberos
Constrained Delegation and PAC : Realm crossover
daemon@ATHENA.MIT.EDU (Rick van Rein)
Thu Oct 15 08:01:00 2015
Message-ID: <561F9556.2050100@openfortress.nl>
Date: Thu, 15 Oct 2015 14:00:22 +0200
From: Rick van Rein <rick@openfortress.nl>
MIME-Version: 1.0
To: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hello,
Does anyone on this list have S4U2Proxy or "Constrained Delegation"
experience?
I know that the security is based on a PAC, but it is unclear where it
is enforced -- in the benevolent service, or in the KDC.
And, if it is the KDC, which one if client and service realms differ?
The client provides a Forwarded TGT along with the session key on it, so
I presume it is the client's KDC who applies policy (to avoid that a
webmail service uses more than imap and smtp backend services).
Don't worry about pointing me to specs (or sections therein) if I missed
the hints. Since I don't use Windows I'm already getting at this from
the "outside", reading specs, but it's not easy to see the whole picture.
Thanks!
-Rick
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos