Simo Sorce

Can you klist /run/fasjson/krb5ccache as well as the user specific ccache ? I suspect the lifetiem of the ticket you obtain in constrained delegation is clamped to the shorter lifetime...

Ok, so I am surprise that the client would even get back a 401 in this scenario, as the delegate credentials are not something mod_auth_gssapi would check during authentication, is...

I have been thinking about this for a while, and I do not see a very clean solution yet, I think one way would be for you to remove the...

(edited the comment above as I fat fingered a send mid-typing :)

You cn easily set the Negotiate headers, the first header is quite standard and is literally just: `WWW-Authenticate: Negotiate`

Great news!

What mod_auth_gssapi can do is to prepare a ticket valid for impersonation, but it is not built to try and perform "middle man" authentication when used in a proxy. So...

A PR is good, the only question is whether it is possible to add a test in CI to make sure it stays working in the future.

You can remove it if it is not an issue anymore

I think a IETF draft describing the algorithm was never submitted, and that would be a pre-requisite