Documenting the behaviour of GSS_C_DELEG_POLICY_FLAG on both MIT and Heimdal

GSS_C_DELEG_POLICY_FLAG.md

Scenario

• Kerberos authentication to a WinRM endpoint
• 2 Windows endpoints, 1 is trusted for unconstrained delegation (Y), the other is not trusted for any delegation (N)
• Trying to reconcile the behaviour of GSS_C_DELEG_POLICY_FLAG for both MIT and Heimdal
• This does not take consider any krb5.conf values that could affect this behaviour
• The docs behaviour is based on what is in this blog post
• Tested on Centos 8 against a Microsoft KDC
• MIT krb5 version 1.17
• Heimdal krb5 version 7.7.0

Results

req_flags	ok-as-delegate	provider	delegated	ret_flags
None	Y	MIT	N	None
None	Y	Heimdal	N	None
None	Y	Doc	N	None
None	N	MIT	N	None
None	N	Heimdal	N	None
None	N	Doc	N	None
DELEG	Y	MIT	Y	DELEG
DELEG	Y	Heimdal	Y	DELEG
DELEG	Y	Doc	Y	DELEG
DELEG	N	MIT	Y	DELEG
DELEG	N	Heimdal	Y	DELEG
DELEG	N	Doc	Y	DELEG
DELEG_POLICY	Y	MIT	Y	DELEG | DELEG_POLICY
DELEG_POLICY	Y	Heimdal	Y	DELEG | DELEG_POLICY
DELEG_POLICY	Y	Doc	Y	DELEG | DELEG_POLICY
DELEG_POLICY	N	MIT	N	None
DELEG_POLICY	N	Heimdal	N	None
DELEG_POLICY	N	Doc	N	None
DELEG | DELEG_POLICY	Y	MIT	Y	DELEG | DELEG_POLICY
DELEG | DELEG_POLICY	Y	Heimdal	Y	DELEG | DELEG_POLICY
DELEG | DELEG_POLICY	Y	Doc	Y	DELEGE | DELEG_POLICY
DELEG | DELEG_POLICY	N	MIT	Y	DELEG
DELEG | DELEG_POLICY	N	Heimdal	Y	DELEG
DELEG | DELEG_POLICY	N	Doc	Y	DELEG

Most scenarios are the same except for using MIT with just GSS_C_DELEG_POLICY_FLAG set on an ok-as-delegate SPN

This was incorrect, after testing again I saw the same behaviour between MIT and Heimdal so this was a false positive.