Question about (no-)cross-realm trust

Vipin Rathor v.rathor at gmail.com
Tue Sep 17 22:22:47 EDT 2019


Hello Kerberos World!
I am trying to develop an application which can talk to a kerberized
service running in a remote realm. I am aware that this would ideally
require having trust (one way or two way) between my current realm and
remote realm. Additionally, we want to avoid having trust as a requirement
(the folks maintaining remote realm are quite 'possessive' about their
realm). Thinking more about this, I stumbled on this premise which I want
to validate through you the experts!
What if my application can get two TGTs from both the realms and instead of
getting a cross-realm TGS, it can use the respective TGTs to talk to
respective realms?
Am I overlooking something here? Is this a sane thing to do in Kerberos
terms?

Regards,
VR


More information about the Kerberos mailing list