Regarding User Delegation

Narendra Kumar S.S ssnkumar at
Wed Feb 16 23:46:49 MST 2011


     I am facing a problem with delegated user authentication and seek help
in resolving the issue.

     I have used Heimdal API's in my code. And I am using Windows 2003 R2 as
my DC/AD.
     I have configured a delegated user, and using this in my code to login
to AD.
     I get the tickets on behalf of the another user (say user1) for the
cifs service.
     From the TGS REP I got the ticket with flags (ok-as-delegate, pre-auth,
renewable) for the user user1,
     and I build the authenticator using krb5_make_req_extended ( ) .

     When I send this authenticator and ticket encapsulated in GSS-API blob
in session setup Andx request,
     I get the error as "KRB5KBC_AP_ERR_MODIFIED" from the server.
     The code is tested with single stand alone user  and it works fine.

    My domainname is
    The delegated user is deleg_user.
    The hostname of my DC/AD is test-dc.
    My spn's on the DC/AD looks as below:
C:\>setspn -l deleg_user
Registered ServicePrincipalNames for

C:\>setspn -l test-dc
Registered ServicePrincipalNames for CN=TEST-DC,OU=Domain

    Please let me know, how to get this working?


More information about the samba-technical mailing list