Cross-Domain Trust and Referrals

The KDC derives its knowledge of cross-domain trusts from trusted domain objects (TDOs) in Active Directory.

If a cross-domain referral is determined to be necessary ([RFC4120] section 1.2 and [Referrals-11]), the appropriate inter-realm key MUST be retrieved from the TDO and used as specified in [RFC4120]. DES MUST NOT be used unless no other etype is supported.<62>

If the TRUST_ATTRIBUTE_CROSS_ORGANIZATION flag is set in the TrustAttributes field ([MS-ADTS] section, the OTHER_ORGANIZATION SID ([MS-DTYP] section MUST be added to KERB_VALIDATION_INFO.ExtraSids and the SidCount field MUST be incremented in the user's PAC. The KDC MUST perform an ACL check while processing the TGS request as follows.

  • The security descriptor MUST be that of the server Active Directory account object,

  • the client principal MUST be that of the client user,

  • and the requested access MUST be ACTRL_DS_CONTROL_ACCESS.

If there is a failure in the check, the KDC MUST reject the authentication request with KDC_ERROR_POLICY.

If the TRUST_ATTRIBUTE_CROSS_ORGANIZATION_NO_TGT_DELEGATION flag is set in the trustAttributes field ([MS-ADTS] section, the KDC MUST return a ticket with the ok-as-delegate flag not set in TicketFlags.