Actually, even with the cred_store option for delegation_policy, when using more than one type, one can't really tell what creds he got at the end. We have GET_CRED_IMPERSONATOR_OID which I think can be used to inquire for proxy-creds, but how do you tell a tgt-less one? It would be nice to be able to inquire about it.