directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Boorshtein <>
Subject Re: [Kerberos] Constrained Delegation Support?
Date Wed, 23 Sep 2009 00:01:21 GMT
On Tue, Sep 22, 2009 at 7:50 PM, Alex Karasulu <> wrote:

> No we really have not but its not so hard to do I think.  We just need to
> add the A2D2 attribute to the schema and enable some authorization checks in
> the KDC to make sure it constrains the service tickets the KDC grants to
> service accounts based on the contents of this attribute.  Not hard hat all
> to do I think.
Well I'll be honest I have no idea how to implement s4u2self and s4u2proxy
but I will say that IF you guys decide to implement it (which I think would
be really cool) I can say that what we did run into in our deployment was
that constrained delegation didn't work well with cross forest trusts where
a user is in one forest and the device generating and consuming the tickets
are in a seperate forest.  The commercial product did not work at all.
Should you guys want to implement I can setup a scenario that would
reproduce what I saw.


View raw message