Hmm, I think you are right. Here's what the Microsoft docs say "The S4U2proxy extension requires that the service ticket to the first service has the forwardable flag set (see Service 1 in the figure specifying Kerberos delegation with forwarded TGT, section 1.3.3). This ticket can be obtained through an S4U2self protocol exchange.". I'll followup with the folks at RedHat and FreeIPA.
Thanks Marc Boorshtein CTO Tremolo Security marc.boorsht...@tremolosecurity.com (703) 828-4902 On Mon, Nov 30, 2015 at 10:01 PM, Wang Weijun <weijun.w...@oracle.com> wrote: > It is my understanding that if the S4U2self ticket is not forwardable then it > cannot be used in a S4U2proxy request. That's we just threw an exception. Am > I wrong? Or you don't intend to use it this way? > > --Max >
