Subject: | Resource Based Constrained Delegation client support |
Windows Server 2012 added a feature called Resource Based Constrained
Delegation, which allows delegation policy to be configured on the
S4U2Proxy target's principal entry rather than the intermediate's, and
allows the intermediate and target to be in different realms.
Some client support is apparently necessary to make this work. We have
received at least one request to implement these client changes; I am
creating this ticket to track that request. I have not done the research
to understand the scope of the required client changes.
http://mailman.mit.edu/pipermail/kerberos/2016-July/021295.html
https://blog.kloud.com.au/2013/07/11/kerberos-constrained-delegation/
https://msdn.microsoft.com/en-us/library/cc246071.aspx
Delegation, which allows delegation policy to be configured on the
S4U2Proxy target's principal entry rather than the intermediate's, and
allows the intermediate and target to be in different realms.
Some client support is apparently necessary to make this work. We have
received at least one request to implement these client changes; I am
creating this ticket to track that request. I have not done the research
to understand the scope of the required client changes.
http://mailman.mit.edu/pipermail/kerberos/2016-July/021295.html
https://blog.kloud.com.au/2013/07/11/kerberos-constrained-delegation/
https://msdn.microsoft.com/en-us/library/cc246071.aspx