I want to allow an application server to impersonate other users by a limited time. I know that on win2000 the application server obtains the kerberos TGT
during delegation. win2003 allows also constrained delegation, and I would use that model if it's possible. I'm thinking on setting the kerberos server to issue tickets with reduced lifetime (by setting MaxServiceTicketAge and MaxTicketAge to 20 minutes for example), but I'm not sure if it would work, as I'm not sure if the TGT isn't renewed automatically on the application server before it expires. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
