Microsoft apparently published some of the first information about S4U2Self back in 2003 here:
http://msdn.microsoft.com/en-us/magazine/cc188757.aspx In it they state: "If the client and the service are in separate domains, this requires a bidirectional trust path between them because the service, acting on the client's behalf, must request tickets from the client's domain." It seems every talk about this since then has mirrored this sentiment...for instance a (relatively recent post by Simo: http://www.ietf.org/mail-archive/web/krb-wg/current/msg02303.html "bidirectional trust is not only what is required..." But I can't find anything in MS-SFU that would state this is required. In fact the only mention of trust is: "If the user's realm is the same as Service 1's realm, the service already has the TGT that it needs. If the user's account is in a different realm, the service constructs a KRB_TGS_REQ with the name of the TGS of the user's realm as the sname field in the request. The cname and crealm fields are set to the name and realm of Service 1. See [RFC4120] section 5.3 for the use of sname and cname. If there is not a direct trust relationship with an inter-realm key between Service 1's realm and the user's realm, the service's TGS MUST return a TGT to a realm closer to the user's realm. This process is repeated until Service 1 obtains a TGT to a TGS in the user's realm" The "S4U2self Multiple Realm Example" here also is unclear: http://msdn.microsoft.com/en-us/library/cc246109.aspx Can anyone validate that a bi-directional trust is required, and why the service realm trusting the user realm is not sufficient? TIA ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
