This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Constrained Delegation

Do the Quest/VAS GSSAPI libraries( support Constrained Delegation?

I have this working with the MIT Kerberos GSSAPI libraries, but when I switch the it stops. 

When doing the gss_accept_sec_context(), it appears the the token passed is not seen as a "proxy credential" since I'm not getting back  GSS_C_DELEG_FLAG as I do with MIT.

proxy_impersonator  - The presence of this key indicates that the cache is a synthetic delegated credential for use with S4U2Proxy. The value is the name of the intermediate service whose TGT can be used to make S4U2Proxy requests for target services. This key is not associated with any principal.

I tried the latest QAS_4_1_7_23754 libraries.



  • Constrained delegation is not something we have ever looked into with our current libraries. 

    Later in February Authentication Services 4.2 is being released and has an updated version of Heimdall Kerberos at the center. It might be worth testing on that version when it comes out.