[kitten] Checking the transited list of a kerberos ticket in a transitive cross-realm trust situation...

Greg Hudson ghudson at mit.edu
Wed Aug 23 20:38:07 EDT 2017

On 08/23/2017 07:01 PM, Stefan Metzmacher wrote:
>> I think we should first consider whether it would be sufficient for MIT
>> krb5 to suppress the rd_req transited check if the
>> TRANSITED-POLICY-CHECKED flag is set in the ticket.  MIT and Heimdal
>> KDCs both appear to perform the transited check and set the flag by default.
> But Windows KDCs doesn't set this bit (I guess because it's just not
> useful).

I don't agree at all that the bit isn't useful.  That bit is how a KDC
communicates that it vouches for the transited path.  Unfortunately, you
do appear to be correct about Windows KDCs.  MS-KILE says:

    The TRANSITED-POLICY-CHECKED flag ([RFC4120] section 2.7): KILE
    MUST NOT check for transited domains on servers or a KDC.
    Application servers MUST ignore the TRANSITED-POLICYCHECKED flag.

which basically means Microsoft has declined to conform to RFC 4120 in
this area, instead requiring servers to implement PACs to interoperate
in a cross-realm environment.

I guess the proposed credential option is necessary, in that case.

More information about the krbdev mailing list