Simo Sorce wrote:
If pkinit is configured anonymous tickets can be obtained.
To avoid impacting badly written applications that consider successful
authentication also implicit authorization, by default restrict
anonymous ticket to only be able to the TGTs. This is sufficient to
make FAST working with pkinit but will block any other usage unless the
admin explicitly decides to allow it by changing the kdc.conf file.
Freeipa-devel mailing list