On 03/07/14 19:38, Greg Hudson wrote: > On 07/02/2014 05:36 AM, Alan Braggins wrote: >> I'm using Kerberos constrained delegation (s4u2proxy) >> for a proxy server that is authenticating clients to a >> Microsoft Active Domain server. > > Can you explain more about what you're doing? I'm not immediately sure > why you would need to import a UPN in order to do s4u2proxy. > > My understanding is that UPNs are used (1) during AS-requests, and (2) > to identify the server when doing cross-realm S4U2Self (which we should > do internally, but currently don't; that's issue #7790). I'm not sure > where they would be involved for S4U2Proxy.
It's the s4u2self step that I'm using the UPN to identify the user, but I'm using s4u2self to get a ticket to then use for s4u2proxy. So in gss_acquire_cred_impersonate_name, my "desired_name" is a UPN (which is parsed from an SSL client certificate subjectAlternateName). ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
