Hi, We are using for some times now an AD KDC/MIT KDC trust, for some political reason we are migrating the users for the MIT KDC to the AD.
Tests made in the beginning of the years were going almost "flawlessly" (well as much as it is possible when trying to configure microsoft software for interoperability). The MIT KDC is configured by a GPO, using the Delegate (0x4) flags, and the correct dns mappings. Basic things still work as of today except credential delegation. I suppose it's related to this: https://support.microsoft.com/en-us/help/4490425/updates-to-tgt-delegation-across-incoming-trusts-in-windows-server But while there is way to re-enable the previous way for cross-forest trust, the netdom commands aren't compatible with kerberosV5 interop, and ksetup doesn't list any new flags that could correspond. I tried adding the ok_as_delegate and ok_to_auth_as_delegate flags to the mit principals but to no avail.... Anyone know if it is possible the re-enable unconstrained delegation for Krbv5 in windows ? I'm looking to ways to configure "contrained delegation" on the MIT KDC but it's a very old setup using the db2 database, i can't seem to find a guide for migrating to the ldap storage ? MS AD is running Windows server 2012 -- Benoit ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
