Kerberos Constrained Delegation And Protocol Transition In Smart Card PKI Architectures

Kerberos delegation, as specified by version 5 of the protocol, resolved this through two new extensions to the authentication protocol: This is an important feature as it allows users to send a request to a service using credentials that are not acceptable for Kerberos authentication such as a smart card, which presents a client certificate as credentials. The constrained delegation extension allows a service to obtain service tickets restricted to a list of specific services on the network once it has been presented with the appropriate service ticket, which may have been obtained through protocol transition.