Kerberos Referal question

  • Last Post 04 March 2019
Mahdi posted this 16 February 2019


Lets say we have two forests with a forest trusts between them. A user from JP.ASIA.CONTOSO.COM domain wants to connect to a share in SERVER1.PARIS.EU.FABRIKAM.NET. So:

  • The clients fetch the SPN > cifs/SERVER1.PARIS.EU.FABRIKAM.NET
  • Put the SPN in a packet along with it's local TGT for domain JP.ASIA.CONTOSO.COM and send a TGS request to KDC in his local domain. (Since the client already has a TGT, it will send a TGS for file server? right?)
  • KDC in JP.ASIA.CONTOSO.COM does not find the SPN, so it ask the closest GC and the GC will tell him "Hey I do not have that SPN, but there a TRUST ending that name. You have to go up. That's all I know."

So the question here is, the workstation needs to go to a parent. At first it goes to ASIA.CONTOSO.COM and conntact the KDC. But here, KDC needs to authenticate him. In that case, the KDC will give him a second TGT for ASIA.CONTOSO.COM and client will discard his preious TGT? or since the client already has a TGT in a child domain and it is trusted, there is no need for excess TGT? If that requires a second TGT, KDC encrypt that TGT with krbtgt and resend to client? I can not follow exactly what happens under the hood at this point.

Let's suppose the client will manage to reach to CONTOSO.COM which is the root forest. At this point, the KDC for CONTOSO.COM  will have to refer the client to FABRIKAM.NET. So this referal again going to be with a TGT for remote domain? so how it will be encypted? The krbtgt again? the password within the TDO?


I never went that much deep in referals. I always thought "Ok this is a referal. Simple as that!" but since I decided to dive in, I was introduced in this confusing concepts.


Thank you!

Order By: Standard | Newest | Votes
bdesmond posted this 16 February 2019

The diagrams in this article show you the process of how this works -






Mahdi posted this 18 February 2019

Thanks brian, I went through that link whih you provided! it was helpful!


However, when it is said "referal", what is exactly inside that referal? A ticket refered to remote domain or a ticket for the parent of local domain? For example if wants to access, the referal will be for itself or the client will be refered to first as its parent and from that point, it will have another referal to and so on?


yawpee posted this 19 February 2019

P {margin-top:0;margin-bottom:0;}

Can you please share the link:



barkills posted this 23 February 2019

Resending my previous reply that never was received, now that the list outage has been cleared.






Mahdi posted this 04 March 2019

Brian I do not know why I neves see your reply. It is strange. I just see you have replied, but I dont know what you have written.


Anyway after follwing all the links, I made a video explaining this referral process. I hope it is correct to a large extent. Here is the link: