Lets say we have two forests with a forest trusts between them. A user from JP.ASIA.CONTOSO.COM domain wants to connect to a share in SERVER1.PARIS.EU.FABRIKAM.NET. So:
- The clients fetch the SPN > cifs/SERVER1.PARIS.EU.FABRIKAM.NET
- Put the SPN in a packet along with it's local TGT for domain JP.ASIA.CONTOSO.COM and send a TGS request to KDC in his local domain. (Since the client already has a TGT, it will send a TGS for file server? right?)
- KDC in JP.ASIA.CONTOSO.COM does not find the SPN, so it ask the closest GC and the GC will tell him "Hey I do not have that SPN, but there a TRUST ending that name. You have to go up. That's all I know."
So the question here is, the workstation needs to go to a parent. At first it goes to ASIA.CONTOSO.COM and conntact the KDC. But here, KDC needs to authenticate him. In that case, the KDC will give him a second TGT for ASIA.CONTOSO.COM and client will discard his preious TGT? or since the client already has a TGT in a child domain and it is trusted, there is no need for excess TGT? If that requires a second TGT, KDC encrypt that TGT with krbtgt and resend to client? I can not follow exactly what happens under the hood at this point.
Let's suppose the client will manage to reach to CONTOSO.COM which is the root forest. At this point, the KDC for CONTOSO.COM will have to refer the client to FABRIKAM.NET. So this referal again going to be with a TGT for remote domain? so how it will be encypted? The krbtgt again? the password within the TDO?
I never went that much deep in referals. I always thought "Ok this is a referal. Simple as that!" but since I decided to dive in, I was introduced in this confusing concepts.