From f56cf04078a80f7ad38da3bbdf3735a72e0c51c0 Mon Sep 17 00:00:00 2001 From: kouril Date: Tue, 5 Oct 2004 09:18:12 +0000 Subject: [PATCH] Description of delegation support in Win AD (thanks Rob Sessink) --- INSTALL | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/INSTALL b/INSTALL index 3459469..6cf767f 100644 --- a/INSTALL +++ b/INSTALL @@ -81,6 +81,12 @@ used for. To create the account you can use standard AD tools. Make sure that the user account has "Password never expires" set and write down the password you set for the account (you will need it later). +When using ticket based authentication (KrbMethodNegotiate) and also wanting +to save the ticket (KrbSaveCredentials), the user account for the Kerberos +principal must have the option "Account is trusted for delegation" set. This +enables to user account to delegate the tickets to the server for further +authentication. + If you want to kerberize additional hosts you need to create one user account per each kerberized host. -- 2.1.4