Authentication Indicators and Cross Realm Trust

[Ken Hornstein]

>On 9/30/22 16:06, Machin, Glenn Douglas via Kerberos wrote:
>> Can someone tell me if a TGT containing an authentication indicator will work over to a service principal in another realm which has a cross realm trust relationship?
>
>Authentication indicators are currently only accepted within the same 
>realm; cross-realm service ticket requests do not preserve the 
>indicators from the cross-realm TGT.

Hm, should they be preserved?

We are in the unusual situation of (a) relying on ticket flags to indicate
the use of hardware preauth and (b) we do a lot of cross-realm.  So we
depend on the client realm asserting the hw-auth ticket flag and make
authorization decisions based on that (obviously, we trust those realms
to only assert hw-auth flag when appropriate).  AND my eventual plan was to
transition to authentication indicators instead of the hw-auth ticket flag.

RFC 8129 acknowledges the existence of cross-realm authentication and
vaguely implies they will be preserved, specifically here:

   Application service evaluation of site-defined indicators MUST
   consider the realm of original authentication in order to avoid
   cross-realm indicator collisions.  Failure to enforce this property
   can result in invalid authorization decisions.

So is this just an implementation detail?  Is there something more that
I am missing? (Entirely possible!).

If it's just an implementation detail, what would the parameters of an
acceptable patch look like?  E.g., would the default be to not accept
any authentication indicators when doing cross realm, and you have to
explicitly list realms you accept authentication indicators from?  Or
something else?

--Ken