[cifs-protocol] [SR120012721001773] Clarify in MS-KILE 3.3.5.7.5 how the KDC makes the decision

[Hung-Chun Yu]

-Dochelp [BCC]
+Support [CC]

Hi Isaac,

Thank you for your question.  We created SR 120012721001773 and please leave this info in the subject line to track your issue.  An engineer will contact you soon.

Hung-Chun Yu
Microsoft Protocols Support

-----Original Message-----
From: Isaac Boukris <iboukris at gmail.com> 
Sent: Monday, January 27, 2020 10:34 AM
To: Interoperability Documentation Help <dochelp at microsoft.com>; Stefan Metzmacher <metze at samba.org>; cifs-protocol at lists.samba.org
Subject: [EXTERNAL] Clarification request about TGT forwarding within forest MS-KILE 3.3.5.7.5

Hello dochelp,

This is a followup question to:
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.samba.org%2Farchive%2Fcifs-protocol%2F2020-January%2F003368.html&data=02%7C01%7CHungChun.Yu%40microsoft.com%7C9c109461d0254479196308d7a35797f3%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637157468910966497&sdata=FYe4jzRT4kxliF2cmlyPQ2hlzpQ%2BCnCpZHnar6ZW%2FCI%3D&reserved=0

Per my testing using updated Windows 2019, the TRUST_ATTRIBUTE_CROSS_ORGANIZATION_ENABLE_TGT_DELEGATION trust attribute is not required when both domains are in the same forest, and even if not set Windows KDC still set ok-as-delegate flag.

Could you please clarify in MS-KILE 3.3.5.7.5 how the KDC makes the decision not to require ENABLE_TGT attribute when in the same forest, and whether the NO_TGT attribute applies in that case or not.

Thanks!