3.1.5.1.1 Service Sends S4U2self KRB_TGS_REQ

In the S4U2self request, the user is identified by the user realm and the user name or alternatively, by using the user's certificate if the service has it, as specified in sections 3.1.5.1.1.2 and 3.1.5.1.1.2. The PA-FOR-USER padata type can be used only in the former case, while a PA-S4U-X509-USER padata type can carry the user identity in both cases.

The SFU client SHOULD:<8>

1. When sending the KRB_TGS_REQ message, add a PA-PAC-OPTIONS [167] ([MS-KILE] section 2.2.10) padata type with the claims bit set to request claims authorization data and with the resource-based constrained delegation bit SHOULD<9> be set to inform the KDC that it supports resource-based constrained delegation.

2. When receiving the KRB_TGS_REP message, if the claims bit is set in PA-SUPPORTED-ENCTYPES [165] ([MS-KILE] section 2.2.8) and not set in PA-PAC-OPTIONS [167], the Kerberos client SHOULD locate a DS_BEHAVIOR_WIN2012 DC ([MS-KILE] section 3.2.5.3) and go back to step 1.