3.3.5.7.5 Cross-Domain Trust and Referrals

The KDC derives its knowledge of cross-domain trusts from trusted domain objects (TDOs) in Active Directory.

If a cross-domain referral is determined to be necessary ([RFC4120] section 1.2 and [Referrals-11]), the appropriate inter-realm key MUST be retrieved from the TDO and used as specified in [RFC4120]. DES MUST NOT be used unless no other etype is supported.<71>

If the TRUST_ATTRIBUTE_CROSS_ORGANIZATION flag is set in the TrustAttributes field ([MS-ADTS] section 6.1.6.7.9), the OTHER_ORGANIZATION SID ([MS-DTYP] section 2.4.2.4) MUST be added to KERB_VALIDATION_INFO.ExtraSids and the SidCount field MUST be incremented in the user's PAC. The KDC MUST perform an ACL check while processing the TGS request as follows.

  • The security descriptor MUST be that of the server Active Directory account object,

  • the client principal MUST be that of the client user,

  • and the requested access MUST be ACTRL_DS_CONTROL_ACCESS.

If there is a failure in the check, the KDC MUST reject the authentication request with KDC_ERROR_POLICY.

The KDC MUST NOT return a ticket with the ok-as-delegate flag set in TicketFlags unless the following conditions are TRUE for the following flags in the source ticket or in the trustAttributes field. The trustAttributes field flags are defined in [MS-ADTS] section 6.1.6.7.9.

DisableConditions = Source ticket does not have ok-as-delegate, OR trust attributes include TRUST_ATTRIBUTE_CROSS_ORGANIZATION_NO_TGT_DELEGATION, OR trust attributes include TRUST_ATTRIBUTE_QUARANTINED_DOMAIN.

EnableConditions = Trust attributes include TRUST_ATTRIBUTE_WITHIN_FOREST, OR TRUST_ATTRIBUTE_CROSS_ORGANIZATION_ENABLE_TGT_DELEGATION.<72>

If EnableConditions and not DisableConditions then set ok-as-delegate flag.