Kerberos Delegation

[ecy1@bezeqint.net]

Hi

I would like to know if Kerberos Delegation is possible in
a multi Hop scenario.
For example: Is the following scenario possible?

A Client C Transfer its {TGT} to server "S" for
Delegation, Server S will FORWARD this {TGT} to server T
for delegation again, (Second Hop).
Server T will finally ask for a ticket form service server
Q to be able to call that service in client's C name.

The question is: Is it possible for the Kerberos
delegation algorithm to run through multiple Hops?

I have read about Kerberos and found many explanations
about Delegation but ALL described Only one hop scenario.

Does this mean that Multi Hop Scenario is not possible?

Is there an article and example showing this?

Thanks

Emmanuel Kahn
[email]ecy1@bezeqint.net[/email]

[Paul Glavich]

Yes, kerberos delegation is possible. You need to mark the account that
is to be delegated as 'delegateable'. I dont have a link handy, but I do
have a set of web articles on disk that describe how to implement
kerberos delegation under windows 2000. Send me offlist at
[email]glav@aspalliance.com[/email]-NOSPAM (obviously without the -NOSPAM) and I'll
forward it to you.

- Paul Glavich

> Hi
>
> I would like to know if Kerberos Delegation is possible in
> a multi Hop scenario.
> For example: Is the following scenario possible?
>
> A Client C Transfer its {TGT} to server "S" for
> Delegation, Server S will FORWARD this {TGT} to server T
> for delegation again, (Second Hop).
> Server T will finally ask for a ticket form service server
> Q to be able to call that service in client's C name.
>
> The question is: Is it possible for the Kerberos
> delegation algorithm to run through multiple Hops?
>
> I have read about Kerberos and found many explanations
> about Delegation but ALL described Only one hop scenario.
>
> Does this mean that Multi Hop Scenario is not possible?
>
> Is there an article and example showing this?
>
> Thanks
>
> Emmanuel Kahn
> [email]ecy1@bezeqint.net[/email]
>
>