Export (0) Print
Expand All

3.2.5.1.2 KDC Replies with Service Ticket

When a KDC processes a TGS-REQ ([RFC4120] section 3.3.2) and if the Service 1 account is in the KDC'srealm, the KDC MUST reply with the service ticket, where:

  • sname contains the name of Service 1.

  • realm contains the realm of Service 1.

  • cname contains the userName field of the PA-FOR-USER data.

  • crealm contains the userRealm fields of the PA-FOR-USER data.

If the TrustedToAuthenticationForDelegation parameter on the Service 1 principal is set to:

  • TRUE: the KDC MUST set the FORWARDABLE ticket flag ([RFC4120] section 2.6) in the S4U2self service ticket.

  • FALSE and ServicesAllowedToSendForwardedTicketsTo is non-empty: the KDC MUST NOT set the FORWARDABLE ticket flag ([RFC4120] section 2.6) in the S4U2self service ticket.<18>

If the DelegationNotAllowed parameter on the principal is set, then the KDC SHOULD NOT set the FORWARDABLE ticket flag ([RFC4120], section 2.6) in the S4U2self service ticket.<19>

If the KRB_TGS_REQ contains a PA-S4U-X509-USER padata type, the KDC MUST include the PA-S4U-X509-USER padata type in the KRB_TGS_REP.

If the KDC supports the Privilege Attribute Certificate Data Structure [MS-PAC], the KDC, when populating the KERB_VALIDATION_INFO Structure ([MS-KILE] section 3.3.5.6.3.1), MUST NOT include the AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY SID ([MS-DTYP] section 2.4.2.4) in the ExtraSids field and SHOULD add the SERVICE_ASSERTED_IDENTITY SID ([MS-DTYP] section 2.4.2.4) instead.<20>

 
Show:
© 2014 Microsoft