I am trying to test S4U2self with one-way trusts and seem to be running into an issue.
I have a test setup where DOMAINA trusts DOMAINB. Server1 exists in DOMAINA, and user1 exists in DOMAINB. Given the direction of the trust, it should be possible to get a service ticket for Server1 for user1.
>From the TRACE calls I believe when S4U2self functionality is triggered on Server1 for user1, Server1 attempts to get a TGT to DOMAINB by using the SPN krbtgt\DOMAINB@DOMAINA. This request is sent to the KDC for DOMAINA. My understanding is that this krbtgt account will not exist for an outbound trust, and the request fails with "server not found in Kerberos database" (like in my setup).
In fact, the krbtgt account that would exist on both domains is is krbtgt\DOMAINA@DOMAINB (when DOMAINA trusts DOMAINB).
So two questions:
1. Is S4U2self expected to work in a one-way trust scenario?
2. If so, shouldn't the TGT request for the foreign realm for S4U2self be for krbtgt\DOMAINA@DOMAINB?