Kerberos Delegation

E

ecy1

Hi

I would like to know if Kerberos Delegation is possible in
a multi Hop scenario.
For example: Is the following scenario possible?

A Client C Transfer its {TGT} to server "S" for
Delegation, Server S will FORWARD this {TGT} to server T
for delegation again, (Second Hop).
Server T will finally ask for a ticket form service server
Q to be able to call that service in client's C name.

The question is: Is it possible for the Kerberos
delegation algorithm to run through multiple Hops?

I have read about Kerberos and found many explanations
about Delegation but ALL described Only one hop scenario.

Does this mean that Multi Hop Scenario is not possible?

Is there an article and example showing this?

Thanks

Emmanuel Kahn
(e-mail address removed)
 
P

Paul Glavich

Yes, kerberos delegation is possible. You need to mark the account that
is to be delegated as 'delegateable'. I dont have a link handy, but I do
have a set of web articles on disk that describe how to implement
kerberos delegation under windows 2000. Send me offlist at
(e-mail address removed)-NOSPAM (obviously without the -NOSPAM) and I'll
forward it to you.

- Paul Glavich
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Kerberos to NTLM delegation timeout 2
Expired Tickets - Delegation vs S4U 3
Constrained delegation question! 9
Kerberos delegation trauma 3
Kerberos 1
kerberos constrained delegation for file server access 0
Kereberos delegation problem 0
Performance issues With Impersonation and Delegation 3

Members online

No members online now.
Total: 34 (members: 0, guests: 34)
Robots: 327

Forum statistics

Threads
473,755
Messages
2,569,536
Members
45,011
Latest member
AjaUqq1950

Latest Threads

Top