Docs - Cross-realm service ticket retrieval

[margod]

It is not clear from documentation whether cross realm retrieval of service ticket is supported or NOT.

I have probably quite common use case within enterprise usage scenario, where user from realm1.local needs to access service from realm2.local.

Looking at implementation ( /Kerberos.NET/Client/KerberosClient.cs - 563 ) it look like TGS_REQ is always send to KDC of realm of user rather than KDC of service arising from second realm.

[SteveSyfuhs]

Referrals are supported and work just fine.

Kerberos.NET/Kerberos.NET/Client/KerberosClient.cs

Lines 596 to 610 in 794fcd2

	// is it a realm referral
	if (originalServicePrincipalName.Name.Length == 1 &&
	respondedSName.FullyQualifiedName.StartsWith(originalServicePrincipalName.FullyQualifiedName, StringComparison.InvariantCultureIgnoreCase))
	{
	// It's not a realm referral but it is the singly-named thing we asked for (e.g. "krbtgt")
	receivedRequestedTicket = true;
	}
	else if (!respondedSName.Matches(originalServicePrincipalName) &&
	respondedSName.IsKrbtgt())
	{
	// it is a realm referral and we need to chase it
	string referral = TryFindReferralShortcut(encKdcRepPart);

[margod]

Misunderstanding of error related to weak crypto being used for cross-realm trust. Clearly referrals are supported.