S4U2Self and realm/domain trusts

Ben H bhendin at gmail.com
Thu May 15 17:50:14 EDT 2014

Microsoft apparently published some of the first information about S4U2Self
back in 2003 here:


In it they state:

"If the client and the service are in separate domains, this requires a
bidirectional trust path between them because the service, acting on the
client's behalf, must request tickets from the client's domain."

It seems every talk about this since then has mirrored this sentiment...for
instance a (relatively recent post by Simo:
"bidirectional trust is not only what is required..."

But I can't find anything in MS-SFU that would state this is required. In
fact the only mention of trust is:

"If the user's realm is the same as Service 1's realm, the service already
has the TGT that it needs. If the user's account is in a different realm,
the service constructs a KRB_TGS_REQ with the name of the TGS of the user's
realm as the sname field in the request. The cname and crealm fields are
set to the name and realm of Service 1. See [RFC4120] section 5.3 for the
use of sname and cname. If there is not a direct trust relationship with an
inter-realm key between Service 1's realm and the user's realm, the
service's TGS MUST return a TGT to a realm closer to the user's realm. This
process is repeated until Service 1 obtains a TGT to a TGS in the user's

The "S4U2self Multiple Realm Example" here also is unclear:

Can anyone validate that a bi-directional trust is required, and why the
service realm trusting the user realm is not sufficient?


More information about the Kerberos mailing list