Try checking the "Account is sensitive and cannot be delegated" option in the user properties and see if that does what you want. (I'm not sure if it will or not, but I believe this is the option actually intended to prevent Kerberos delegation.)
<<CDC Vipul Mehta wrote, On 2/10/2014 12:50 AM: > Hi, > > Scenario : User A forwards his credentials to User B. User B uses the > forwarded credentials to interact with User C on behalf of user A. > [Delegation] > > In windows KDC there is delegation option associated with user properties. > I've set it to "Do not trust this user for delegation" for User B i.e. User > B will not be able to use delegated credentials. > > In Windows SSPI API, it works fine and User B is not able to use delegated > credentials. > > But the option doesn't seem to be having any impact in MIT Kerberos API in > C++. User B is able to use A's forwarded credentials to establish security > context with User C. > > Is this a problem from KDC side ? Any solution for this ? > ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
