Hello, Does anyone on this list have S4U2Proxy or "Constrained Delegation" experience?
I know that the security is based on a PAC, but it is unclear where it is enforced -- in the benevolent service, or in the KDC. And, if it is the KDC, which one if client and service realms differ? The client provides a Forwarded TGT along with the session key on it, so I presume it is the client's KDC who applies policy (to avoid that a webmail service uses more than imap and smtp backend services). Don't worry about pointing me to specs (or sections therein) if I missed the hints. Since I don't use Windows I'm already getting at this from the "outside", reading specs, but it's not easy to see the whole picture. Thanks! -Rick ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
