On Sat, Apr 23, 2016 at 09:47:59AM -0700, Ray Van Dolson wrote: > On Sat, Apr 23, 2016 at 09:41:47AM -0700, Ray Van Dolson wrote: > > Using PuTTY from a domain-joined Windows 7 machine, with that machine's > > PuTTY stack configured to allow credential delegation and connecting to > > a RHEL7 server, also joined to AD but *not* configured in AD to be > > trusted for delegation, I do not get a TGT added to my cache when I > > connect. > > > > However, if I use MIT Kerberos on the Windows side to obtain the ticket > > and then configure PuTTY to prefer MIT over MS SPI, and connect to the > > same RHEL7 machine, I *do* get a forwarded TGT (klist -f: Flags: FfPRA) > > > > PuTTY w/ MS SSPI works *if* I go into AD and set the target server up > > to be configured for delegation trust. > > > > Can someone explain the difference in behavior? Almost feels like the > > ticket the MIT stack is providing to PuTTY is different than the MS > > stack's ticket. > > > > I also see this alluded to elsewhere[1]. > > > > Thanks, > > Ray > > Apologies for self-reply, but perhaps this is the reason? > > http://mailman.mit.edu/pipermail/kerberos/2014-February/019500.html > > Ray
Should have kept my search up. Looks like that thread revives a couple of months later and fully explains things: http://mailman.mit.edu/pipermail/kerberos/2014-April/019805.html Sorry for the noise. Ray ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos