Use Wireshark to diagnose LDAP through Kerberos

Here is a successful one.

For a better understanding of each request, here is kerberos works. 

diagram from: https://www.ibm.com/developerworks/ibmi/library/i-sso/index.html

Here is how you verified if a TGT is returned.

A Ticket is returned for LDAP for that user

Main user bound.

Infomation about delegated user back

Got TGT for delegated User

Get Ticket for delegated User

Bind delegated user within SASL. 

Some code to read info of delegated user:

https://lkarolak.wordpress.com/2010/11/17/finding-active-directory-users-group-membership-in-c/

--

Feng