220.127.116.11.1 Service Sends S4U2self KRB_TGS_REQ
In the S4U2self request, the user is identified by the user realm and the user name or alternatively, by using the user's certificate if the service has it, as specified in sections 18.104.22.168.1.1 and 22.214.171.124.1.2. The user identification for these cases is carried in a PA-FOR-USER PA-DATA type or a PA-S4U-X509-USER PA-DATA type, respectively.
The SFU client SHOULD:<9>
When sending the KRB_TGS_REQ, add a PA-PAC-OPTIONS  ([MS-KILE] section 2.2.9) PA-DATA type with the claims bit set to request claims authorization data and with the resource-based constrained delegation bit set to inform the KDC that it supports resource-based constrained delegation.<10>
When receiving the KRB_TGS_REP, if the claims bit is set in PA-SUPPORTED-ENCTYPES  ([MS-KILE] section 2.2.7) and not set in PA-PAC-OPTIONS , the Kerberos client SHOULD locate a DS_BEHAVIOR_WIN2012 DC ([MS-KILE] section 126.96.36.199) and go back to step 1.