|Skip Navigation Links|
|Exit Print View|
|Oracle Solaris Administration: Security Services Oracle Solaris 11 Information Library|
For some applications, a client might need to delegate authority to a server to act on its behalf in contacting other services. The client must forward credentials to an intermediate server. The client's ability to obtain a service ticket to a server conveys no information to the client about whether the server should be trusted to accept delegated credentials. The ok_to_auth_as_delegate option to the kadmin command provides a way for a KDC to communicate the local realm policy to a client regarding whether an intermediate server is trusted to accept such credentials.
The copy of the credential ticket flags in the encrypted part of the KDC reply might have the ok_to_auth_as_delegate option set to indicate to the client that the server specified in the ticket has been determined by the policy of the realm to be a suitable recipient of delegation. A client can use the presence of this information to determine whether to delegate credentials (by granting either a proxy or a forwarded TGT) to this server. When setting this option, an administrator must consider the security and placement of the server on which the service runs, as well as whether the service requires the use of delegated credentials.