Using ServicesAllowedToReceiveForwardedTicketsFrom

If the Service 2 account's ServicesAllowedToReceiveForwardedTicketsFrom is nonempty and cname in the encrypted part of both TGTs match, the KDC creates a Token/Authorization Context ([MS-DTYP] section 2.5.2) for Service 1 from the PAC data in Service 1's TGT, and performs an access check using the ServicesAllowedToReceiveForwardedTicketsFrom parameter. If the access check succeeds, then the KDC replies with a service ticket for Service 2 (section<25>