Hey folks,

I decided to write a blog post on Kerberos delegation after finding much conflicting and inaccurate info on the net. Of course I now wonder if my conclusions are completely accurate. I'd appreciate any feedback on the blog post as to accuracy. Other suggestions are also welcome.

https://blogs.uw.edu/kool/2016/10/26/kerberos-delegation-in-active-directory/

BTW, I expressed some fairly strong opinions about the value of S4U2Proxy over A2D2. I know that features will be added by MS if Fortune 500 companies ask for them. I suspect that is how S4U2Proxy ended up being created and I imagine those are the folks most likely to have complex domain setups.

I haven't looked closely at Server 2016 so I don't know if it makes any changes to the Kerberos delegation story. Does anyone know?

Thanks,

Eric


Forum info: http://www.activedir.org
Problems unsubscribing? Email admin@xxxxxxxxxxxxxxxx