2.8. OK as Delegate

Overview

For some applications, a client may need to delegate authority to a server to act on its behalf in contacting other services. This requires that the client forward credentials to an intermediate server.

The Problem

The ability for a client to obtain a service ticket to a server conveys no information to the client about whether the server should be trusted to accept delegated credentials.

The Solution

The OK-AS-DELEGATE flag provides a way for a KDC to communicate local realm policy to a client regarding whether an intermediate server is trusted to accept such credentials.

How It Works

The copy of the ticket flags in the encrypted part of the KDC reply may have the OK-AS-DELEGATE flag set to indicate to the client that:

The server specified in the ticket has been determined by the policy of the realm to be a suitable recipient of delegation
Client can use the presence of this flag to help decide whether to delegate credentials (grant either a proxy or a forwarded TGT) to this server
It is acceptable to ignore the value of this flag

Administrator Considerations

When setting this flag, an administrator should consider:

The security and placement of the server on which the service will run
Whether the service requires the use of delegated credentials

Reference

For complete technical details, refer to RFC 4120 Section 2.8.

Overview​

The Problem​

The Solution​

How It Works​

Administrator Considerations​

Reference​