Skip navigation
Menu
Security

Kerberos Transitive Trust Examined

Suppose Alice has logged on to north.eu108.corp108.com with her user account, and she wants to access a resource on a server in east.na108.corp108.com. The following steps walk you through the Kerberos authentication process in a tree that contains five domains:

  1. Alice uses her ticket-granting ticket (TGT) to try to obtain a ticket from KDC1 for the resource server in the east domain. KDC1 isn't the authority for the resource server's east domain, so KDC1 refers Alice to the domain closest to the target domain that the north domain has a Kerberos trust relationship with. This domain is eu108.
  2. KDC2 refers Alice to KDC3.
  3. KDC3 refers Alice to KDC4.
  4. KDC4 refers Alice to KDC5.
  5. KDC5 is the authority for the east domain, so KDC5 generates a ticket for Alice.
  6. Alice uses the ticket from KDC5 to access the resource server.

If you use Windows 2000's (Win2K's) software development kit (SDK) Klist utility to look at the ticket cache on Alice's machine, you'll find one TGT for each domain, one ticket for Alice's machine (part of the north domain), and one ticket for the resource server.

You can shorten this referral process by creating an explicit trust relationship (i.e., a shortcut trust) between the north and east domains. In this case, Alice will go through the following steps to access the resource located in the east domain:

  1. Alice uses her TGT to try to obtain a ticket from KDC1 for the resource server in the east domain. KDC1 isn't the authority for the resource server's east domain, so KDC1 refers Alice to the domain closest to the target domain that the north domain has a Kerberos trust relationship with. This domain is east.
  2. KDC5 is the authority for the resource server's east domain, so KDC5 generates a ticket for Alice.
  3. Alice uses the ticket from KDC5 to access the resource server.

If you look at the ticket cache on Alice's machine after this process, you'll find only four tickets: one TGT for the north domain, one TGT for the east domain, one ticket for Alice's machine, and one ticket for the resource server. A shortcut trust reduces the interdomain authentication traffic and the number of Kerberos tickets issued.

Hide comments

More information about text formats

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish
Recommended Reading
Businesswoman challenges concept and gender obstacles
Women in Cybersecurity Face Barriers to Hiring, Advancement
Apr 15, 2024
person typing on keyboard with icons for certificates
Top IT Certifications for a Career in Finance
Apr 12, 2024
employee working on a laptop with AI
Why AI Coding Assistants May Be Greatest Cybersecurity Threat Facing Your Business
Mar 26, 2024
cleaning products
6 Essential Steps for Spring Cleaning Your Website
Mar 21, 2024