188.8.131.52.5 Cross-Domain Trust and Referrals
If a cross-domain referral is determined to be necessary ([RFC4120] section 1.2 and [Referrals-11]), the appropriate inter-realm key MUST be retrieved from the TDO and used as specified in [RFC4120]. DES MUST NOT be used unless no other etype is supported.<62>
If the TRUST_ATTRIBUTE_CROSS_ORGANIZATION flag is set in the TrustAttributes field ([MS-ADTS] section 184.108.40.206.9), the OTHER_ORGANIZATION SID ([MS-DTYP] section 220.127.116.11) MUST be added to KERB_VALIDATION_INFO.ExtraSids and the SidCount field MUST be incremented in the user's PAC. The KDC MUST perform an ACL check while processing the TGS request as follows.
The security descriptor MUST be that of the server Active Directory account object,
the client principal MUST be that of the client user,
and the requested access MUST be ACTRL_DS_CONTROL_ACCESS.
If there is a failure in the check, the KDC MUST reject the authentication request with KDC_ERROR_POLICY.
If the TRUST_ATTRIBUTE_CROSS_ORGANIZATION_NO_TGT_DELEGATION flag is set in the trustAttributes field ([MS-ADTS] section 18.104.22.168.9), the KDC MUST return a ticket with the ok-as-delegate flag not set in TicketFlags.