[38523] in Kerberos
Re: Constraint Delegation with MIT Kerberos
daemon@ATHENA.MIT.EDU (Simo Sorce)
Fri Apr 5 11:42:51 2019
Message-ID: <552d6d5433b82c8db85ce98dd84fe228acff024b.camel@redhat.com>
From: Simo Sorce <simo@redhat.com>
To: "Jeffries, Joseph L" <Joseph.Jeffries@minnstate.edu>,
"Christopher D.
Clausen" <cclausen@acm.org>,
"kerberos@mit.edu" <kerberos@mit.edu>
Date: Fri, 5 Apr 2019 11:42:28 -0400
In-Reply-To: <BL0PR10MB28682C7DCDEC2FE11EEB7FDDF4510@BL0PR10MB2868.namprd10.prod.outlook.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Constrained delegation in MIT Kerberos required database configuration
support.
This is not available in plain DB2, only available if you use a backend
like LDAP.
FreeIPA (or Red Hat Identity Management) support Constrained delegation
for example.
HTH,
Simo.
On Fri, 2019-04-05 at 14:38 +0000, Jeffries, Joseph L wrote:
> Thanks Christopher. I have followed this and can get it to work, but when I add MIT Kerberos into the mix it does not work. According to Microsoft 3 Tier Kerberos support there needs to be a service or spn configured for MIT Kerberos to do Constraint Delegation. So I am looking for documentation or cook book on how to configure MIT Kerberos to do Constraint Delegation.
>
> Thanks,
> Joseph
>
> -----Original Message-----
> From: Christopher D. Clausen <cclausen@acm.org>
> Sent: Friday, April 5, 2019 9:21 AM
> To: Jeffries, Joseph L <Joseph.Jeffries@minnstate.edu>; kerberos@mit.edu
> Subject: Re: Constraint Delegation with MIT Kerberos
>
> For Active Directory:
> https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fsecurity%2Fkerberos%2Fkerberos-constrained-delegation-overview&data=02%7C01%7CJoseph.Jeffries%40minnstate.edu%7Cda33b6f47a0b4001035b08d6b9d1fe16%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C1%7C636900708895916671&sdata=JxKG%2FqXwrkCqAKIsHt0NWsctVZW3hNjBKJcwSUuWwIA%3D&reserved=0
>
>
> <<CDC
>
> On 4/5/2019 8:35 AM, Jeffries, Joseph L wrote:
> > I did not get a response from anybody. Does anybody have instructions for setting up Constraint Delegation on any platform?
> >
> > Thanks,
> > Joseph
> >
> > -----Original Message-----
> > From: kerberos-bounces@mit.edu <kerberos-bounces@mit.edu> On Behalf Of Jeffries, Joseph L
> > Sent: Wednesday, April 3, 2019 8:47 AM
> > To: kerberos@mit.edu
> > Subject: Constraint Delegation with MIT Kerberos
> >
> > Hello All,
> > I am new to Kerberos and I am trying to setup Constraint Delegation with MIT Kerberos. I do have Full\Open Delegation working, but one of the servers (Microsoft Power BI Server OnPrem) requires Constraint Delegation. I have not found instructions for setting Constraint Delegation up in a Windows server environment. Could someone share the instructions, if they exists or provide me the steps to make this work?
> >
> > Thank you in advance!
> >
> > Joseph
>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
--
Simo Sorce
Sr. Principal Software Engineer
Red Hat, Inc
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
