No we really have not but its not so hard to do I think.  We just need to add the A2D2 attribute to the schema and enable some authorization checks in the KDC to make sure it constrains the service tickets the KDC grants to service accounts based on the contents of this attribute.  Not hard hat all to do I think.


On Wed, Sep 23, 2009 at 1:30 AM, Marc Boorshtein <> wrote:
Was curious if anyone has looked at constrained delegation support?  I know its an MS extension and the only APIs that it works with are commercial libraries so I was curious if anyone had looked at it.


Alex Karasulu
My Blog ::
Apache Directory Server ::
Apache MINA ::