S4U2self and one-way trusts

Singh, Sundeep Sundeep.Singh at netapp.com
Mon Nov 14 19:05:43 EST 2016


I am trying to test S4U2self with one-way trusts between Windows domains and seem to be running into an issue.

I have a test setup where DOMAINA trusts DOMAINB. Server1 exists in DOMAINA, and user1 exists in DOMAINB. Given the direction of the trust, it should be possible to get a service ticket for Server1 for user1.

>From the TRACE calls in the Kerberos library when S4U2self functionality is triggered on Server1 for user1, Server1 attempts to get a TGT to DOMAINB by using the principal "krbtgt\DOMAINB at DOMAINA". This request is sent to the KDC for DOMAINA. My understanding is that this krbtgt account will not exist for this one-way trust, and the request fails with "server not found in Kerberos database" in my setup.

So, is S4U2self expected to work in a one-way trust scenario? If so, what should be the principal for the TGS request to get the TGT to the user's realm?


More information about the krbdev mailing list