On Wed, Jul 18, 2007 at 02:01:31PM -0400, DEEngert@anl.gov via RT wrote: > It does not require the client to delegate! The Sandia mods are enforcing > a local policy that will only delegate if the KDC says the server is trusted, > and the client requests delagation, i.e. called krb5_fwd_tgt_creds() In effect > doing what Windows clients and AD do by default. Maybe I'm coming at this from the wrong direction. Is the intent to be able to disallow credential delegation in cases when the application is specifically requesting it?