[36253] in Kerberos
Re: Use of NT-ENTERPRISE name type via GSS-API
daemon@ATHENA.MIT.EDU (Greg Hudson)
Thu Jul 3 14:38:48 2014
Message-ID: <53B5A31A.2030104@mit.edu>
Date: Thu, 03 Jul 2014 14:38:18 -0400
From: Greg Hudson <ghudson@mit.edu>
MIME-Version: 1.0
To: Alan Braggins <alan.braggins@riverbed.com>,
"kerberos@mit.edu" <kerberos@mit.edu>
In-Reply-To: <53B3D288.6000704@riverbed.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 07/02/2014 05:36 AM, Alan Braggins wrote:
> I'm using Kerberos constrained delegation (s4u2proxy)
> for a proxy server that is authenticating clients to a
> Microsoft Active Domain server.
Can you explain more about what you're doing? I'm not immediately sure
why you would need to import a UPN in order to do s4u2proxy.
My understanding is that UPNs are used (1) during AS-requests, and (2)
to identify the server when doing cross-realm S4U2Self (which we should
do internally, but currently don't; that's issue #7790). I'm not sure
where they would be involved for S4U2Proxy.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
