The memo documents a method for a Kerberos Key Distribution Center
(KDC) to respond to client requests for Kerberos tickets when the
client does not have detailed configuration information on the realms
of users or services. The KDC will handle requests for principals in
other realms by returning either a referral error or a cross-realm
TGT to another realm on the referral path. The clients will use this
referral information to reach the realm of the target principal and
then receive the ticket. This memo also provides a mechanism for
verifying that a request has not been tampered with in transit.
Working Group Summary
This document represents the consensus of the Kerberos Working Group.
Having been under development for quite some time, it has a long
and somewhat complex history and has gone through several changes in
editorship. It has been discussed extensively and there has been
ongoing support for the functionality added by this document.
Over its life, this document has undergone a number of changes.
Most recently, it has been reworked to take advantage of other
work done in the working group since work on this document began,
resulting in a considerably simpler document which is easier both
to understand and to implement.
Some features which were originally planned for this document or
added during its development have been removed. In some cases,
this is to better align with existing and planned implementations.
In others, it is because the working group has not yet been able
to produce satisfactory solutions to certain problems, and so has
decided to defer work on those issues.
At least two major implementations support the Kerberos protocol
extensions defined in this document.
The Document Shepherd for this document is Jeffrey Hutzelman.
The responsible Area Director is Stephen Farrell.
RFC Editor Note
(1) Please insert expansions for the following acronyms:
- Abstract: TGT => Ticket Granting Ticket
- Section 1, Paragraph 1: AS => Authentication Service
- Section 1, Paragraph 1: TGS => Ticket Granting Service
- Section 1, Paragraph 2: KDC => Key Distribution Center
(2) In section 11, 2nd last para, last sentence:
The value for
this padata item should be empty.
The padata item MUST be empty on sending
and the contents of the padata item MUST be ignored on receiving
(3) Section 6, in the ASN.1 fragment on page 9:
login-aliases  SEQUENCE(1..MAX) OF PrincipalName,
login-aliases  SEQUENCE (SIZE (1..MAX)) OF PrincipalName,
(4) Section 11, 3rd para:
The KDC response is extended
The KDC response [RFC4120] is extended