On Wed, Sep 23, 2009 at 3:01 AM, Marc Boorshtein <email@example.com>
No we really have not but its not so hard to do I think. We just need to add the A2D2 attribute to the schema and enable some authorization checks in the KDC to make sure it constrains the service tickets the KDC grants to service accounts based on the contents of this attribute. Not hard hat all to do I think.
Well I'll be honest I have no idea how to implement s4u2self and s4u2proxy but I will say that IF you guys decide to implement it (which I think would be really cool) I can say that what we did run into in our deployment was that constrained delegation didn't work well with cross forest trusts where a user is in one forest and the device generating and consuming the tickets are in a seperate forest. The commercial product did not work at all. Should you guys want to implement I can setup a scenario that would reproduce what I saw.
I thought KCD did not work across forests/domains but I'm reaching here so double check me. I'm itching to get all over these Kerberos features myself but have had no time as usual to get deep into them. Hopefully we can fullfil some of our critical needs on the LDAP side and move on to frolic around in the Kerberos side for a while.