In a inter-child domain environment:
ABC.COM
|
|- XX. ABC.COM
|- YY. ABC.COM
|- ZZ. ABC.COM
When the PCS device tries to fetch the cross-realm TGT, the TGS-REQ is correct; but the backend responds with a referral TGT to realm abc.com, instead of cross-realm TGT for realm YY.ABC.COM in TGS-REP.
The backend server sends a valid ticket and it then expects the PCS device to use that ticket to try the next level of trust. The PCS device does not store the referral TGTs and it does not have implementation to go up to the next level of trust path to fetch TGTs.
There is a limitation to support referral TGT, due to the following reason:
“PCS does not store the referral TGTs and hence it does not have implementation to go up to the next level of trust to fetch TGTs."PCS currently support Cross realm TGT, if a direct trust between the Client KDC and the server KDC (two-way direct trust relationship between domains) exists.
