On 08/23/2017 07:01 PM, Stefan Metzmacher wrote: >> I think we should first consider whether it would be sufficient for MIT >> krb5 to suppress the rd_req transited check if the >> TRANSITED-POLICY-CHECKED flag is set in the ticket. MIT and Heimdal >> KDCs both appear to perform the transited check and set the flag by default. > > But Windows KDCs doesn't set this bit (I guess because it's just not > useful).
I don't agree at all that the bit isn't useful. That bit is how a KDC communicates that it vouches for the transited path. Unfortunately, you do appear to be correct about Windows KDCs. MS-KILE says: The TRANSITED-POLICY-CHECKED flag ([RFC4120] section 2.7): KILE MUST NOT check for transited domains on servers or a KDC. Application servers MUST ignore the TRANSITED-POLICYCHECKED flag. which basically means Microsoft has declined to conform to RFC 4120 in this area, instead requiring servers to implement PACs to interoperate in a cross-realm environment. I guess the proposed credential option is necessary, in that case.