18.104.22.168 TGS Exchange
When the server name is not Krbtgt, the client SHOULD send an authorization data field ([RFC4120] section 5.2.6) with ad-type KERB-LOCAL (142) and ad-data containing KERB-LOCAL structure (section 2.2.3) in an AD-IF-RELEVANT element ([RFC4120] section 22.214.171.124) in the enc-authorization-data field ([RFC4120] section 5.2.6).<33>
The Kerberos client SHOULD add a PA-PAC-OPTIONS  (section 2.2.9) PA-DATA type with the Branch Aware bit set to the TGS REQ. If a server principal unknown with a substatus of NTSTATUS STATUS_NO_SECRETS message ([MS-ERREF] section 2.3.1) is returned, the client SHOULD send an AS-REQ adding a PA-PAC-OPTIONS  (section 2.2.9) PA-DATA type, with the Forward to Full DC bit set, to a full DC, and then send a new TGS_REQ using this TGT to the full DC.
If EnableCBACandArmor is TRUE, the Kerberos client SHOULD add a PA-PAC-OPTIONS  (section 2.2.9) PA-DATA type with the Claims bit set in the TGS REQ to notify the KDC that the client is claims aware.<34>
If EnableCBACandArmor is TRUE and the application server's realm TGT's PA-SUPPORTED-ENCTYPES Compound Identity bit is set, the Kerberos client SHOULD send a compound identity TGS-REQ by using FAST with explicit armoring, using the computer's TGT.<36>