As an update, here is what we have worked out. As stated in the previous e-mail it is not possible for KERB_TICKET_CACHE_INFO_EX to be used to obtain the ClientRealm information for tickets on a reliable basis unless we know that the tickets will in fact be in the cache. Larry has a private fix which he is willing to make available (after successful testing via PSS). This fix is an extension to the KerbRetrieveEncodedTicketMessage which will force the storage of the retrieved ticket in the cache. With this fix it will be possible to implement the necessary functionality. Therefore, what has been implemented in the krb5_ccache MSLSA code is the following: * A test to determine if KERB_TICKET_CACHE_INFO_EX is available * A test to determine if KERB_RETRIEVE_TICKET_CACHE_TICKET is implemented * Code which depending on the availability of both of the above which when attempting to retrieve a ticket will search the entire cache for that ticket and if found utilize the ClientRealm information provided by the KERB_TICKET_CACHE_INFO_EX entry for that ticket instead of the DomainName found in the KERB_EXTERNAL_TICKET This is going to significantly increase the amount of work needed to properly export a ticket from the LSA cache to an MIT Kerberos application. However, it will do so correctly. Larry and David are going to set up a test machine for me to use to make sure this private fix works and the test build of KRB5_32.DLL works with it. Assuming it does I am going to fold this code into the KFW 2.6.4 release. The existing behavior of the krb5_ccache MSLSA interface will be preserved on Windows 2000; Windows XP will use KERB_TICKET_CACHE_INFO when enumerating tickets; and when the fix is in place retrieve tickets will obtain the correct ClientRealm information as well. Doug, assuming this all works it should close the book on the transitive cross-realm tickets being displayed with the wrong client principal realm problem you reported months ago. More importantly the ability to store tickets in the cache with specific enctypes and/or ticket flag combinations will signficantly improve the performance of MIT Kerberos applications when using the MSLSA cache as the default cache for the system. Therefore, when the PSS is available I will encourage organizations which deploy KFW to obtain it and deploy the fix along with KFW. Jeffrey Altman