Hi Greg
I am the product manager of the Single Sign-on solution Airlock. We are
interested in adding support for resource based Kerberos constrained delegation
(RBKCD) to our solution but currently miss the corresponding feature in
krb5-libs. You have been discussing this before with Stefan
On 06/28/2016 06:03 AM, Stefan Dietiker wrote:
> A few months ago I have asked you whether it is possible with krb5-libs to
> do Resource Based Kerberos Constrained Delegation or not. You mentioned
> that the Kerberos libs does not include the PA-PAC-OPTIONS which are
> required for
Hi Greg
A few months ago I have asked you whether it is possible with krb5-libs to
do Resource Based Kerberos Constrained Delegation or not. You mentioned
that the Kerberos libs does not include the PA-PAC-OPTIONS which are
required for this purpose. Recently I was tracking the changes in the git
On 11/06/2015 07:05 AM, Stefan Dietiker wrote:
> - Is there really a dependency, that krb5-libs must support RBKCD
> (Resource based Kerberos constrained delegation)?
Looking at the latest [MS-S4U] document, it appears so. The
intermediate server must include a PA-PAC-OPTIONS pa-data e
(used on Front-end server to request a Kerberos ticket on
behalf of an user for Back-end server): abc.com\systemacc
User: abc.com\testuser
SPN (on Back-end server): http/myiis.abc.com
As long as the system account is permitted the "old way" (not resource
based Kerberos constrained delega
(used on Front-end server to request a Kerberos ticket on
behalf of an user for Back-end server): abc.com\systemacc
User: abc.com\testuser
SPN (on Back-end server): http/myiis.abc.com
As long as the system account is permitted the "old way" (not resource
based Kerberos constrained delega
