For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

writemike's avatar
writemike
Icon for Nimbostratus rankNimbostratus
Oct 05, 2016

After doing a bit more research (ie, I asked an AD guy!), it appears that if a two-way trust exists between domains/forests, then when a client joined to domain1 asks the domain1 KDC for a TGS for a service in domain2, the domain1 KDC will refer you to the domain2 KDC to complete your request. In the end the klist command, on the client machine should have 2 TGT (domain1 and domain2) and a TGS for the service you are trying to access. This can all be done with a single SPN in the Keytab file as long as there is two-way trust between the domains/realms.

 

That is my non-windows guy understanding. Please let me know where I'm incorrect because I would really like to understand this better.

 

Thanks