Using the User's Realm and User Name to Identify the User

Service 1 uses the name and realm of the user to locate the appropriate domain controller (DC) to provide the authorization information for the user. The user's realm may be found by local policy, or, if the user name is a User Principal Name, by using KRB_AS_REQ and KRB_AS_REP messages as follows. Service 1 sends a KRB_AS_REQ without any pre-authentication to Service 1's Key Distributor Center (KDC). If this KDC holds the user's account, then it will return KDC_ERR_PREAUTH_REQUIRED, and the user's realm is handled by the KDC. Otherwise, the KDC can refer Service 1 to another realm that may contain the user account or that may have better information about the realm of the user account, as specified in [Referrals] section 4. The KDC does this by returning a KDC_ERR_WRONG_REALM error, as specified in [RFC4120] section 7.5.9, in the KDC_AS_REP and setting the crealm field to the next realm to try. Service 1 then sends a KRB_AS_REQ to the next realm, repeating the process until it reaches a KDC in the user's realm or receives some other error.

After the realm with the user's account is identified, Service 1 begins the protocol to retrieve the service ticket on behalf of the user. The first step is for the service to retrieve a TGT to the ticket-granting service (TGS) in the user's realm.

If the user's realm is the same as Service 1's realm, the service already has the TGT that it needs. If the user's account is in a different realm, the service constructs a KRB_TGS_REQ with the name of the TGS of the user's realm as the sname field in the request. The cname and crealm fields are set to the name and realm of Service 1. See [RFC4120] section 5.3 for the use of sname and cname. If there is not a direct trust relationship with an inter-realm key between Service 1's realm and the user's realm, the service's TGS will return a TGT to a realm closer to the user's realm. This process is repeated until Service 1 obtains a TGT to a TGS in the user's realm.

Using the TGT to the TGS in the user's realm, Service 1 requests a service ticket to itself. The S4U2self information in the KRB_TGS_REQ consists of: padata-type = PA-FOR-USER, which consists of four fields: userName, userRealm, cksum, and auth-package. Service 1 sets these fields as follows: The userName is a structure consisting of a name type and a sequence of a name string (as specified in [RFC4120] section 6.2). The name type and name string fields are set to indicate the name of the user. The default name-type is NT_UNKNOWN. The userRealm is the realm of the user account. If the user 's realm name is unknown, Service 1 SHOULD use its own realm name. The auth-package field MUST be set to the string, "Kerberos". The auth-package field is not case-sensitive.

The TGS first checks the user account. If the account is not found, a KRB-ERROR message with KDC_ERR_C_PRINCIPAL_UNKNOWN is returned.

If the account exists and Service 1 is in the same realm as the user, the TGS will reply with the service ticket in the KRB_TGS_REP. The sname and realm in the service ticket MUST be set to name and realm of Service 1. The cname and crealm shall be that of the userName and userRealm fields of the PA-FOR-USER data. The reply ticketKRB_TGS_REP MAY also contain authorization data of the user, as specified in [MS-PAC].

If Service 1 is not in the user's realm, the user's TGS will reply with a KRB_TGS_REP message containing a referral TGT to the next realm in the trust chain. The cname and crealm in the KRB_TGS_REP will be set to name and realm of Service 1. The referral TGT MAY contain authorization data of the user identified in the PA-FOR-USER structure based on the policy of the TGS.

Multiple intermediate realms may need to be transited. Service 1 will send a KRB_TGS_REQ with the S4U2self data in the PA-FOR-USER structure to each TGS in turn along the referral path (as specified in [Referrals]). Each TGS along this path will reply with a TGT to the next TGS in the referral path.

When the KRB_TGS_REQ is finally sent from Service 1 to the TGS in Service 1's realm, the TGS will reply with a service ticket. The TGS in Service 1's realm MUST set the sname and realm in the service ticket to the name and realm of Service 1. The cname and crealm fields MUST be set to the name and realm of the user. The KRB_TGS_REP will contain the cumulative authorization based on the policy of each TGS transited.

If requested by the service in the KRB_TGS_REQ to the service's TGS and allowed by that TGS, the FORWARDABLE flag in the service ticket in the KRB_TGS_REP shall be set. The service MUST request a forwardable ticket if it wants to use the returned service ticket as the input for a later Service-for-User-to-Proxy (S4U2proxy) request.