>>>>> "Weijun" == Weijun Wang <Weijun.Wang at sun.com> writes:
Weijun> How do I interpret "the only case" below? It sounds like KDC
Weijun> should only return a referral if the request is for a TGT.
That's correct: RFC 4120 only permits referrals for TGTs.
Modern Kerberos uses the canonicalize flag to permit referrals in other
situations.