> > On 08/14/2012 06:35 PM, 1983-01...@gmx.net wrote: > > Hi Weijun, > > > >> Hi Michael > >> > >> The feature was dropped mainly because of delegation problem. If I > >> remember (and understand) correctly, using the underlying SSPI there > >> seems no good way to acquire a FORWARDED ticket and send it to the > >> middle server to perform delegation. I think maybe Microsoft restricts > >> this so that you are always under the UAC umbrella, otherwise, a > >> forwarded TGT might let you do much more it wants. > >> > >> This means if the client uses SSPI but the server uses pure Java, there > >> is a loss of function, and I was not happy with this (4 years ago). > >> > >> This might change if pure Java Kerberos also supports constrained > >> delegation. > > > > this is confusing. Why is a SPNEGO ticket sent by Firefox which is > generated with SSPI forwardable then? I was happily able to perform to > retrieve > a service ticket for an Active Directory server on behalf of that user's > GSSCredential and retrieve some data through LDAP. InitializeSecurityContext > and ISC_REQ_DELEGATE don't not do the job? > > Maybe I can look at it again. I remember the problem was about > delegation. I am not sure now. > > I cannot determine when I can pick up the feature again. Sorry.
Thank you! That would be a viable contribution to the entire framework. Michael
