3.2.5.7 TGS Exchange

When the server name is not Krbtgt, the client sends an authorization data field ([RFC4120] section 5.2.6) with ad-type KERB-LOCAL (142) and ad-data containing KERB-LOCAL structure (section 2.2.4) in an AD-IF-RELEVANT element ([RFC4120] section 5.2.6.1) in the enc-authorization-data field.

The Kerberos client adds a PA-PAC-OPTIONS [167] (section 2.2.10) padata type with the Branch Aware bit set to the TGS REQ. If a server principal unknown with a substatus of NTSTATUS STATUS_NO_SECRETS message ([MS-ERREF] section 2.3.1) is returned, the client sends an AS-REQ adding a PA-PAC-OPTIONS [167] (section 2.2.10) padata type, with the Forward to Full DC bit set, to a full DC, and then send a new KRB_TGS_REQ message using this TGT to the full DC.

If EnableCBACandArmor is TRUE, the Kerberos client adds a PA-PAC-OPTIONS [167] (section 2.2.10) padata type with the Claims bit (specified in section 2.2.7) set in the TGS REQ to notify the KDC that the client is claims aware.

If EnableCBACandArmor is TRUE, the Kerberos client SHOULD<37> use FAST [RFC6113] when the realm supports FAST (section 3.2.5.4).

If EnableCBACandArmor is TRUE and the application server's realm TGT's PA-SUPPORTED-ENCTYPES [165] structure (section 2.2.8) Compound Identity bit is set, the Kerberos client SHOULD<38> send a compound identity TGS-REQ by using FAST with explicit armoring, using the computer's TGT.