On Tue, Sep 22, 2009 at 7:50 PM, Alex Karasulu <[email protected]> wrote:
> No we really have not but its not so hard to do I think. We just need to > add the A2D2 attribute to the schema and enable some authorization checks in > the KDC to make sure it constrains the service tickets the KDC grants to > service accounts based on the contents of this attribute. Not hard hat all > to do I think. > > Well I'll be honest I have no idea how to implement s4u2self and s4u2proxy but I will say that IF you guys decide to implement it (which I think would be really cool) I can say that what we did run into in our deployment was that constrained delegation didn't work well with cross forest trusts where a user is in one forest and the device generating and consuming the tickets are in a seperate forest. The commercial product did not work at all. Should you guys want to implement I can setup a scenario that would reproduce what I saw. Marc
