feat: support for Kerberos cross realm referral

[Richard Markiewicz (thenextman)]

RDP/NLA via FreeRDP and sspi-rs failed when a parent-domain user (richard@rjm.local) authenticated to a host in a child domain (TERMSRV/WIN-UE7FOENEK0D.dev.rjm.local) with

InvalidToken: Asn1 error: "Expected Application number tag 15 but got: 30"

(Kerberos app tags: 15 = AP-REP, 30 = KRB-ERROR — i.e. we expected an AP-REP from the server but got a KRB-ERROR.)

Root cause

sspi-rs has no cross-realm referral chasing. A KDC only issues tickets for principals in its own realm; for a service in another realm it returns a referral TGT (sname = krbtgt/<NEXT_REALM>), and the client must re-send the TGS-REQ to that next realm. Instead, sspi-rs:

1. Sent the TGS-REQ to the home KDC (RJM.LOCAL) → got back a referral TGT for krbtgt/DEV.RJM.LOCAL.
2. Stuffed that referral TGT directly into the AP_REQ as if it were the service ticket.
3. The target (WIN-UE7FOENEK0D) couldn't decrypt a ticket encrypted with the trust key; returned KRB-ERROR 41 (KRB_AP_ERR_MODIFIED).
4. sspi-rs tried to parse that KRB-ERROR as an AP-REP ---> InvalidToken.

What we changed

Referral chasing loop in the TGS exchange (src/kerberos/client/mod.rs): after each TGS-REP, if the returned ticket sname is krbtgt/<NEXT_REALM>, re-issue the TGS-REQ for the same SPN to that realm using the referral TGT, chaining the session key and authenticator each hop, until the real service ticket comes back. Bounded to 10 hops with a no-progress guard.

Per-realm KDC routing (src/kerberos/mod.rs): split send into send/send_to and added send_for_realm. The pinned kdc_url (KDC proxy) stays authoritative for the home realm only; referral hops resolve through detect_kdc_url(realm).

Helper and tests: extracted referral_target_realm(sname) (testable predicate) with 5 unit tests.

Key decisions

Reuse the existing per-realm resolution chain rather than add new config. Referral hops route via the existing SSPI_KDC_URL_<REALM> env → krb5.conf → DNS SRV (_kerberos._tcp.) fallback. No new FFI/config plumbing; set one env var (or rely on DNS) and it works.

Pinned KDC = home realm only. A KDC proxy pinned to the home DC can't decrypt a krbtgt/<NEXT_REALM> referral ticket, so referral hops must reach the target realm's KDC.

For further discussion

(Because I'm trying to keep these changes focussed)

Windows DNS SRV limitations (src/dns.rs): the Windows path forces port :88 (ignores the SRV port) and reads only the first SRV record (no multi-DC failover).

Dotted env-var friction: SSPI_KDC_URL_DEV.RJM.LOCAL breaks PowerShell $env: parsing. Add underscore-normalized aliasing (SSPI_KDC_URL_DEV_RJM_LOCAL)?

U2U + referral interaction: additional_tickets is only carried on the first hop; edge case, likely fine, but worth a sanity check.

[Copilot]

Pull request overview

This PR fixes Kerberos cross-realm authentication by adding referral chasing during the TGS exchange, ensuring the client follows krbtgt/<NEXT_REALM> referral TGTs until it obtains the actual service ticket for the requested SPN.

Changes:

• Adds a referral-chasing loop in the Kerberos client TGS exchange to handle cross-realm referrals (bounded and guarded).
• Introduces realm-aware KDC routing via send_for_realm, allowing referral hops to resolve the appropriate realm KDC rather than always using the pinned home-realm KDC.
• Adds unit tests for referral ticket detection logic.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File	Description
src/kerberos/mod.rs	Refactors KDC send logic into send_to and adds send_for_realm to support realm-specific KDC resolution for referral hops.
src/kerberos/client/mod.rs	Implements the cross-realm referral chase loop during TGS exchange and adds tests for referral detection.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Pavlo Myroniuk (TheBestTvarynka)]

LGTM