2-way transitive forest trust required for Kerberos constrained delegation

Version 4

    Verified Product Versions

    File Director 4.2File Director 4.3


    Ivanti File Director can be configured to support Kerberos Single Sign-on by using kerberos constrained delegation as per Constrained delegation support (Credential guard support)

    One of the requirements for this is that if the connecting users originate from another forest, a 2-way transitive forest trust must be configured. This knowledge article provides further details as to why this is required.



    The File Director appliance is not domain-joined, however, where Kerberos SSO is used, it is configured with a pre-authentication account which must be in the same domain as the file server(s) that will host the map points.

    When a user logs on from another forest, the multi-realm constrained delegation process where a 2-way transitive forest trust is in place is as follows:


    1. The File Director appliance contacts its Ticket-Granting Server (TGS) which is the KDC (Key Distribution Centre) for the domain hosting the pre-authentication account specified in the Kerberos settings (Realm A). It requests a Ticket-Granting Ticket (TGT) for the TGS in the end user's realm (Realm B)


    2. The  TGS in Realm A returns a cross-realm ticket to the TGS in Realm B


    3. The File Director appliance uses this cross-realm TGT to make an S4U2Self request to the TGS in Realm B


    4. Realm B creates a PAC (privilege attribute certificate containing user authorisation information) and returns it in a TGT referral to the File Director appliance


    5. The File Director appliance uses this TGT referral to request a service ticket for itself from the TGS in Realm A on behalf of the user in Realm B


    6. The TGS in Realm A returns a service ticket which encapsulates the authorisation information provided by the TGS in Realm B


    In the case where a 1-way outgoing forest trust is in place between Realm A and Realm B (Where users in Realm B can access resources in Realm A) Step 1-2 above will fail, as the TGS in Realm A does not have an authentication path to the TGS in Realm B


    Note, this is a Microsoft / protocol limitation and not a direct limitation of File Director.




    [MS-SFU]: Kerberos Protocol Extensions: Service for User and Constrained Delegation Protocol