Determine if ticket has been policy checked for transit.
The application server is ultimately responsible for accepting or rejecting authentication and SHOULD
check that only suitably trusted KDCs are relied upon to authenticate a principal. The transited field
in the ticket identifies which realms (and thus which KDCs) were involved in the authentication process
and an application server would normally check this field. If any of these are untrusted to authenticate
the indicated client principal (probably determined by a realm-based policy), the authentication attempt
MUST be rejected. The presence of trusted KDCs in this list does not provide any guarantee; an untrusted
KDC may have fabricated the list.
While the end server ultimately decides whether authentication is valid, the KDC for the end server's
realm MAY apply a realm specific policy for validating the transited field and accepting credentials for
cross-realm authentication. When the KDC applies such checks and accepts such cross-realm authentication
it will set the TRANSITED-POLICY-CHECKED flag in the service tickets it issues based on the cross-realm
TGT. A client MAY request that the KDCs not check the transited field by setting the
DISABLE-TRANSITED-CHECK flag. KDCs are encouraged but not required to honor this flag.
Application servers MUST either do the transited-realm checks themselves, or reject cross-realm tickets
without TRANSITED-POLICY- CHECKED set.
Install Now
PNG Icons
Emojis