3.2.5.4 Using FAST When the Realm Supports FAST
In addition to the RFC behavior ([RFC6113]), the Kerberos client SHOULD use the PA-SUPPORTED-ENCTYPES [165] structure (section 2.2.8) from the TGT obtained from a realm to determine if a realm supports FAST.
If the client does not have a TGT for the realm and is creating an:
AS-REQ: the client obtains a TGT for the computer principal from the user principal's domain.
TGS-REQ: the client obtains a referral TGT for the user principal for the target domain.
Compound identity TGS-REQ: the client obtains a user principal TGT and computer principal TGT for the target domain with the same key version numbers (section 3.1.5.8).
If a TGT for the required principals cannot be obtained and RequireFAST is:
TRUE: the client fails the request.
FALSE: the client continues without FAST.
When processing the KRB_AS_REP or KRB_TGS_REP message, if the FAST-supported bit in the in PA-SUPPORTED-ENCTYPES [165] structure (section 2.2.8) of the TGT received in step 1 is:
Not set and RequireFAST is TRUE: the client fails the request.
Not set and RequireFAST is FALSE: the client continues without FAST.
Set: the client finds a DC that supports FAST and use FAST:
Locate a DS_BEHAVIOR_WIN2012 DC (section 3.2.5.3).
If a DS_BEHAVIOR_WIN2012 DC is not found and RequireFAST is:
TRUE: the client fails the request.
FALSE: the client continues without FAST.
If a DS_BEHAVIOR_WIN2012 DC is found, the client uses the TGT obtained in step 1 to armor the message it is creating ([RFC6113] sections 5.4.2, 5.4.3 and 5.4.4) to the DS_BEHAVIOR_WIN2012 DC. If the request fails without an authenticated Kerberos error message and RequireFAST is TRUE, then the client fails the request.