> Yes. S4U2proxy is very new, much newer than the WebAuth protocol itself, > so WebAuth was not designed with it in mind. But you could indeed replace > the whole proxy/cred token system with S4U2proxy, provided that your KDC > had good enough ACLs on that capability. > > You would lose a UI feature that WebAuth currently has, where the > WebLogin > server warns the user what credentials the WAS will be able to obtain on > their behalf, but you could re-add that by adding some sort of API for the > WebLogin server to query the KDC-side ACL. > > Note that S4U2proxy isn't supported until MIT Kerberos 1.8 and I'm not > sure the status of support in Heimdal. I'm also not sure exactly how you > configure the KDC-side ACLs (the equivalent of WebAuth's token.acl).
I will just throw in that S4U2proxy is supported in Active Directory (2008 and later, I believe), but the method of storing Allowed to Delegate to (A2D2) information changes between Windows Server 2008 R2 and 2012, which would complicate the search here. 2008/2008R2 stores this data on the service account that may request the ticket. 2012 stores this data on the service account that is the target of the ticket. This change was made to allow constrained delegation/A2D2 across Active Directory domains. -Ross
