Do the Quest/VAS GSSAPI libraries(llibvas-gssapi.so) support Constrained Delegation?
I have this working with the MIT Kerberos GSSAPI libraries, but when I switch the libvas-gssapi.so it stops.
When doing the gss_accept_sec_context(), it appears the the token passed is not seen as a "proxy credential" since I'm not getting back GSS_C_DELEG_FLAG as I do with MIT.
proxy_impersonator - The presence of this key indicates that the cache is a synthetic delegated credential for use with S4U2Proxy. The value is the name of the intermediate service whose TGT can be used to make S4U2Proxy requests for target services. This key is not associated with any principal.
I tried the latest QAS_4_1_7_23754 libraries.