This is mentioned briefly in the third paragraph of http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netdir/ ad/about_mutual_authentication_using_kerberos.asp
Put simply, delegating to a server is a dangerous business. We require MUTUAL_AUTH to ensure that you're really delegating to the correct, intended entity. ----- This message or posting is provided "AS IS" with no warranties, and confers no rights. Any opinions or policies stated within are my own and do not necessarily constitute those of my employer. Harvesting of this address for purposes of bulk email (including "spam") is prohibited unless by my expressed prior request. I retaliate viciously against spammers and spam sites. > -----Original Message----- > From: Brian Krings [mailto:[EMAIL PROTECTED]] > Sent: Friday, March 08, 2002 12:05 PM > To: [EMAIL PROTECTED] > Subject: Mutual authentication and delegation > > > I have a question about mutual authentication and delegation. > I have an application where I would like to delegate > credentials. I do not currently do mutual authentication. > Using Windows 2000 as my KDC, I cannot get delegated > credentials unless I also pass the mutual authentication flag > to the SSPI InitializeSecurityContext. I don't see any > documentation from Microsoft or in the RFC's that would force > this. Does Microsoft have a bug? I do not have to request > mutual authentication if my client is a non-Windows machine > (using GSSAPI). > > Thanks in advance for any/all responses. > Brian > > ________________________________________________ > Kerberos mailing list [EMAIL PROTECTED] > http://mailman.mit.edu/mailman/listinfo/kerberos > ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos
