References: In-Reply-To: Message-ID: Content-Type: text/html; charset="utf-8" X-Mailer: MIME-tools 5.509 (Entity 5.509) X-RT-Original-Encoding: utf-8 X-RT-Interface: Web Content-Disposition: inline MIME-Version: 1.0 Content-Transfer-Encoding: binary RT-Send-CC: Content-Length: 999 The S4U2Proxy code has been tested against Active Directory and the MIT krb5 KDC.  Typically S4U2Proxy operations are initiated via the GSSAPI, however; see https://web.mit.edu/kerberos/krb5-latest/doc/appdev/gssapi.html#constrained-delegation-s4u and the test program t_s4u.c.

The protocol error code corresponding to "KDC can't fulfill requested option" can have a variety of causes.  One that immediately comes to mind is using a non-forwardable evidence ticket, but there are many others.  It's possible that KDC logs could provide more information, but I am not very familiar with Active Directory's logging.

As a note, MIT krb5 is an open source project and does not have an SLA with any other organization.  We cannot guarantee any specific response time for bug reports or promise that they will be resolved.