All Key Distribution Centers (KDCs) and Kerberos servers sending or receiving the Service for User (S4U) extensions in the KRB_TGS_REQ and KRB_TGS_REP messages must recognize the protocol extensions. Services can detect whether the KDC supports these extensions by checking the client name of the returned ticket. KDCs that do not understand these extensions will return the client name as the service that is making the request. KDCs that understand these extensions either return an error or return a service ticket that contains the client name as the user, not the service that is making the request.<4>
To support the lookup of users based on a supplied certificate, the KDC must have an accounts database available to it that supports looking up user accounts using one or more fields present in the certificate.