Thank you I believe that will be very helpful but I'm unable to test because while I could get constrained delegation working with the t_s4u test program in 1.10.3 I can't get the test program to work with the same accounts in 1.11.1. The test AD Server is windows 2008 R2 SP 1 in both cases.
./t_s4u p:[email protected] p:host/[email protected] /tmp/kcd_keytab_tv Protocol transition tests follow ----------------------------------- gss_acquire_cred_impersonate_name: Unspecified GSS failure. Minor code may provide more information gss_acquire_cred_impersonate_name: KDC has no support for padata type -Christopher -----Original Message----- From: Greg Hudson [mailto:[email protected]] Sent: Monday, March 11, 2013 10:44 PM To: Nebergall, Christopher Cc: [email protected] Subject: [EXTERNAL] Re: Kerberos Constrained Delegation and Credential Caching On 03/11/2013 08:23 PM, Nebergall, Christopher wrote: > Does anyone have any tips on copying the credentials created from Kerberos > constrained delegation to a credentials cache file and back in again? This is only possible with 1.11 or later. We use the subject principal as the default ccache principal, and set a ccache config variable to remember the impersonating service principal. More details at: http://krbdev.mit.edu/rt/Ticket/Display.html?id=7046 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
