22.214.171.124.4 Receives S4U2proxy KRB_TGS_REP
Services can detect whether the KDC supports S4U by checking the cname of the returned ticket. KDCs that do not support S4U ignore the S4U2self and S4U2proxy data and return a service ticket with the cname containing the name of the service that made the request ([RFC4120] section 3.3.3). In service tickets from KDCs that support S4U, the cname contains the name of the user.
Service 1 now has a service ticket to Service 2 with the cname and crealm of the user and authorization data of the user, just as if the user had requested the service ticket. Note, however, that the session key for authenticating to that ticket is owned by Service 1.