Is this TGS-REP legal now?

Weijun Wang Weijun.Wang at
Thu Mar 18 09:40:14 EDT 2010

How do I interpret "the only case" below? It sounds like KDC should only return a referral if the request is for a TGT.

3.3.3.  Generation of KRB_TGS_REP Message

   The response will include a ticket for the requested server or for a
   ticket granting server of an intermediate KDC to be contacted to
   obtain the requested ticket.  The Kerberos database is queried to
   retrieve the record for the appropriate server (including the key
   with which the ticket will be encrypted).  If the request is for a
   TGT for a remote realm, and if no key is shared with the requested
   realm, then the Kerberos server will select the realm 'closest' to
   the requested realm with which it does share a key and use that realm
   instead.  This is the only case where the response for the KDC will
   be for a different server than that requested by the client.


On Mar 18, 2010, at 9:17 PM, Sam Hartman wrote:

> RFC 4120 has always allowed a KDC to return a referral to a different
> realm than the one requested by the client.

More information about the krbdev mailing list