S4U2Self and realm/domain trusts

Greg Hudson ghudson at MIT.EDU
Thu May 15 17:59:58 EDT 2014

On 05/15/2014 05:50 PM, Ben H wrote:
> Can anyone validate that a bi-directional trust is required, and why the
> service realm trusting the user realm is not sufficient?

I believe a bidirectional trust is actually required.  The process as I
understand it is (assuming direct trust relationships):

1. Service gets a cross-realm TGT to the user realm (requires user realm
to trust service realm).

2. Service makes S4U2Self request to user realm

3. User realm responds with referral back to service realm (requires
service realm to trust user realm).

4. Service presents referral TGT to service realm and gets evidence ticket.

All this is required because of PACs; if there were no need to acquire
authdata for the user, the service realm could print the necessary
ticket without help from the user realm, and there would be no need for
the user realm to trust the service realm.

More information about the Kerberos mailing list