Kerberos Transitive Trust Examined

Follow the author as he steps you through the Kerberos authentication process in a tree containing five domains.

Jan De Clercq

September 14, 1999

2 Min Read
ITPro Today logo in a gray background | ITPro Today

Suppose Alice has logged on to north.eu108.corp108.com with her user account, and she wants to access a resource on a server in east.na108.corp108.com. The following steps walk you through the Kerberos authentication process in a tree that contains five domains:

  1. Alice uses her ticket-granting ticket (TGT) to try to obtain a ticket from KDC1 for the resource server in the east domain. KDC1 isn't the authority for the resource server's east domain, so KDC1 refers Alice to the domain closest to the target domain that the north domain has a Kerberos trust relationship with. This domain is eu108.

  2. KDC2 refers Alice to KDC3.

  3. KDC3 refers Alice to KDC4.

  4. KDC4 refers Alice to KDC5.

  5. KDC5 is the authority for the east domain, so KDC5 generates a ticket for Alice.

  6. Alice uses the ticket from KDC5 to access the resource server.

If you use Windows 2000's (Win2K's) software development kit (SDK) Klist utility to look at the ticket cache on Alice's machine, you'll find one TGT for each domain, one ticket for Alice's machine (part of the north domain), and one ticket for the resource server.

You can shorten this referral process by creating an explicit trust relationship (i.e., a shortcut trust) between the north and east domains. In this case, Alice will go through the following steps to access the resource located in the east domain:

  1. Alice uses her TGT to try to obtain a ticket from KDC1 for the resource server in the east domain. KDC1 isn't the authority for the resource server's east domain, so KDC1 refers Alice to the domain closest to the target domain that the north domain has a Kerberos trust relationship with. This domain is east.

  2. KDC5 is the authority for the resource server's east domain, so KDC5 generates a ticket for Alice.

  3. Alice uses the ticket from KDC5 to access the resource server.

If you look at the ticket cache on Alice's machine after this process, you'll find only four tickets: one TGT for the north domain, one TGT for the east domain, one ticket for Alice's machine, and one ticket for the resource server. A shortcut trust reduces the interdomain authentication traffic and the number of Kerberos tickets issued.

About the Author

Jan De Clercq

Jan De Clercq

See more from Jan De Clercq
Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.
Newsletter Sign-Up

You May Also Like

Editor's Choice

ITPro Today's 2024 IT Priorities Report cover
Career Management
ITPro Today’s 2024 IT Priorities ReportITPro Today’s 2024 IT Priorities Report
byChristopher Tozzi
Sep 25, 2024
1 Min Read
a casually dressed it professionals is awkwardly projected on a video call screen in front of a large professional audience
Career Tips
My Manager Promised a Chill Meeting. I Got Ambushed Instead.My Manager Promised a Chill Meeting. I Got Ambushed Instead.
byDanielle Meinert
Sep 26, 2024
3 Min Read
a gavel at the center of a maze
Regulatory Compliance
Guide To Navigating the Legal Perils After a Cyber IncidentGuide To Navigating the Legal Perils After a Cyber Incident
byIan Horowitz
Sep 20, 2024
7 Min Read
Exclusive ITPro Resources
See all ITPro Resources

Featured Technical Explainers

multicloud concept
Cloud Computing
Cross-Cloud: The Next Evolution in Cloud Computing?Cross-Cloud: The Next Evolution in Cloud Computing?
Wi-Fi 6 speed logo glowing on virtual screen while businessperson points hand and using laptop computer.
IT Operations
Wi-Fi 6: A Step Forward, But Wired LAN Still Holds the CrownWi-Fi 6: A Step Forward, But Wired LAN Still Holds the Crown
American flag in front of a government building
IT Operations
Pros and Cons of Government IT JobsPros and Cons of Government IT Jobs
Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.
Newsletter Sign-Up

Recent What Is

technology interface with a person's hand drawing gears and cogs
PowerShell
Introduction To PowerShell Environment VariablesIntroduction To PowerShell Environment Variables
list of domains within the umbrella category of IT security
IT Security
What Is IT Security? Essentials of IT Security ExplainedWhat Is IT Security? Essentials of IT Security Explained