3.3.5.7.6 FORWARDED TGT etype

When the KDC receives a TGS-REQ message, it will create the random session key as specified in [RFC4120] section 3.1.3. If a TGS-REQ message requesting a FORWARDED ([RFC4120] section 2.6) TGT provides an etype value that is not supported by the KDC, and the client provides a PA-SUPPORTED-ENCTYPES [165] structure (section 2.2.8) with encryption types (section 2.2.7) the KDC supports, then the KDC SHOULD<73> select the strongest encryption type that is both included in the PA-SUPPORTED-ENCTYPES [165] structure (section 2.2.8) and supported by the KDC to generate the random session key. See section 3.1.5.2 for the relative strengths of KILE-supported encryption types.