6.1.6.2.3 TDO Roles in Authorization over Domain Boundaries
In some configurations, authorization data from a trusted domain, such as a SID ([MS-DTYP] section 2.4.2) or a client name in a Kerberos cross-realm ticket-granting ticket (TGT) ([RFC4120] section 5.3), must be scrutinized to protect against attempts in the foreign domain to claim identities from within the local domain. For example, if the foreign DC were to become compromised by an attacker, without these protections it would be possible to inject the SID of the local domain administrator into the transferred TGT. This would have the end result of granting the attacker domain administrator rights in the local domain.
To protect against these attacks, TDOs contain name spaces and SID spaces that legitimately belong to the foreign domain. When enabled, authentication protocols will use this information to verify that authorization data that is passed through the protocol is valid for the trust. If a SID or name within the authorization data does not correspond to those claimed within the TDO, the request is rejected. This can cause network logon attempts to fail or alternately cause Kerberos ticket requests to fail, as discussed in [MS-PAC] section 4.2.3.