cross-realm Kerberos constrained delegation [S4U2Self]

Rajesh Kumar Raju rajeshkr at
Tue Sep 26 05:25:15 EDT 2017

Dear all ,
    Thanks for developing such a wonderful stack .

I got a document MS-SFU.pdf . Below is the content of Page 28 of MS-SFU.pdf .

Below is the step to create S4U2Self :

step1 : The service sends a request to its TGS , TGS-A , for a TGT to TGS B . No S4U2Self Information is included in this request.
step 2: TGS A responds with the cross-realm TGT to TGS-B . if the TGS-B was not the user's realm but was instead just a realm closer , then the service would send a KRB_TGS_REQ message to TGS-B to get a TGT to the next realm .

Note : TGS-A and TGS-B are Ticket Granting server from two different domain.

I am trying to understand step1 and step2  mentioned above . How can I get TGT for TGS B . Generally TGT is  for the user .

Thanks in advance


More information about the krbdev mailing list