Hi, To perform constrained delegation from Service A to Service B, forwardable flag must be set in the S4U2Self service ticket returned by KDC to Service A.
I did some testing with Windows KDC and it will set forwardable flag in S4U2Self service ticket in either of the following cases: 1) TrustedToAuthForDelegation is set to true in Service A account. 2) Service A TGT used in S4U2Self has forwardable flag set and msDS-AllowedToDelegateTo list is empty on Service A account. I am not able to understand why msDS-AllowedToDelegateTo needs to be empty in the 2nd case. Is the behavior of MIT KDC the same as Windows KDC ? In my test, I have configured resource based constrained delegation in Service B (principalsAllowedToDelegateTo). -- Regards, Vipul ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
