On Mon, 28 Nov 2011, Ondrej Valousek wrote:
I do not think so - see my post earlier today. I think it actually
makes a
sense in terms of improved security. You can tell your KDC which TGS tickets
can be issued for a specified machine.
I good article is here:
http://technet.microsoft.com/en-us/library/cc755804%28WS.10%29.aspx
It wasn't clear to me what security benefit you're describing here. What
*specifically* do you think this improves security wise?
I wasn't clear how you could use this to tell your KDC which TGS tickets can
be issued for a specified machine, given the specified machine's kerberos
credential is allowed to create new service principals.
jh