On 05/15/2014 05:50 PM, Ben H wrote: > Can anyone validate that a bi-directional trust is required, and why the > service realm trusting the user realm is not sufficient?
I believe a bidirectional trust is actually required. The process as I understand it is (assuming direct trust relationships): 1. Service gets a cross-realm TGT to the user realm (requires user realm to trust service realm). 2. Service makes S4U2Self request to user realm 3. User realm responds with referral back to service realm (requires service realm to trust user realm). 4. Service presents referral TGT to service realm and gets evidence ticket. All this is required because of PACs; if there were no need to acquire authdata for the user, the service realm could print the necessary ticket without help from the user realm, and there would be no need for the user realm to trust the service realm. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
