Determine if ticket has been policy checked for transit.
The application server is ultimately responsible for accepting or
rejecting authentication and SHOULD check that only suitably
trusted KDCs are relied upon to authenticate a principal. The
transited field in the ticket identifies which realms (and thus
which KDCs) were involved in the authentication process and an
application server would normally check this field. If any of these
are untrusted to authenticate the indicated client principal
(probably determined by a realm-based policy), the authentication
attempt MUST be rejected. The presence of trusted KDCs in this list
does not provide any guarantee; an untrusted KDC may have
fabricated the list.
While the end server ultimately decides whether authentication is
valid, the KDC for the end servers realm MAY apply a realm
specific policy for validating the transited field and accepting
credentials for cross-realm authentication. When the KDC applies
such checks and accepts such cross-realm authentication it will set
the TRANSITED-POLICY-CHECKED flag in the service tickets it issues
based on the cross-realm TGT. A client MAY request that the KDCs
not check the transited field by setting the
DISABLE-TRANSITED-CHECK flag. KDCs are encouraged but not required
to honor this flag.
Application servers MUST either do the transited-realm checks
themselves, or reject cross-realm tickets without TRANSITED-POLICY-