@Christopher : I know about that option. I don't want to disable delegation but i want to know the correct behaviour of MIT Kerberos with KDC Option i specified.
@Greg, now it's clear to me. Checked the code also. So, if initiator has requested GSS_C_DELEG_FLAG, then delegation will always be done and value of "ok-as-delegate" flag in service ticket does not matter in that case. Value of "ok-as-delegate" flag is important when initiator has not requested GSS_C_DELEG_FLAG but has requested GSS_C_DELEG_POLICY_FLAG. On Tue, Feb 11, 2014 at 2:21 AM, Greg Hudson <[email protected]> wrote: > I believe this option affects the ok-as-delegate ticket flag, which was > added in RFC 4120. Microsoft's Kerberos implementation honors this > flag, but Unix implementations do not, as doing so would effectively > disable all ticket forwarding in most Unix environments. > > MIT krb5 and Heimdal did add the GSS_C_DELEG_POLICY_FLAG flag so that > applications can choose to delegate tickets only if the ok-as-delegate > flag is set on the service ticket. But it's not clear when a Unix > application would want to use that instead of GSS_C_DELEG_FLAG. > -- Regards, Vipul ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
