On 08/02/2017 07:43 AM, Yu Yu wrote: > Might I ask if MIT Kerberos KDC supports Constrained Delegation (S4U2Self > and S4U2Proxy) feature natively, or if additional back-end (for example, > LDAP) required for it?
The LDAP KDB module (which is still technically "native") is required to configure constrained delegation permissions in the KDC. One configures them by setting "krbAllowedToDelegateTo" attribute values on the intermediate principal LDAP entry, where each value is an allowed target service principal name. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
