On 08/23/2017 07:01 PM, Stefan Metzmacher wrote:
>> I think we should first consider whether it would be sufficient for MIT
>> krb5 to suppress the rd_req transited check if the
>> TRANSITED-POLICY-CHECKED flag is set in the ticket. MIT and Heimdal
>> KDCs both appear to perform the transited check and set the flag by default.
> But Windows KDCs doesn't set this bit (I guess because it's just not
I don't agree at all that the bit isn't useful. That bit is how a KDC
communicates that it vouches for the transited path. Unfortunately, you
do appear to be correct about Windows KDCs. MS-KILE says:
The TRANSITED-POLICY-CHECKED flag ([RFC4120] section 2.7): KILE
MUST NOT check for transited domains on servers or a KDC.
Application servers MUST ignore the TRANSITED-POLICYCHECKED flag.
which basically means Microsoft has declined to conform to RFC 4120 in
this area, instead requiring servers to implement PACs to interoperate
in a cross-realm environment.
I guess the proposed credential option is necessary, in that case.