3.2.5.1 Request Flags Details

Kerberos V5 specifies Kerberos ticket-issuing behavior defined by a set of options that are passed to the KDC during the AS exchange or TGS exchange.

Clients set the canonicalize flag ([RFC4120] section 5.4.1, and [Referrals-11] section 3). For non-KILE realms, if RealmCanonicalize is not set for the realm, the client does not set the canonicalize flag.

The client does not set the PROXY or PROXIABLE option ([RFC4120] section 2.5).

If Delegate is set to TRUE, the client sets the FORWARDABLE option in the TGS request. When the client receives a forwardable ticket, it puts the ticket in a KRB_CRED structure ([RFC4120] section 3.6). The client does not forward the ticket unless the TGT is marked OK-AS-DELEGATE ([RFC4120] section 2.8).

If MutualAuthentication is set to TRUE, the client sets the MUTUAL-REQUIRED flag in the KRB_AP_REQ message ([RFC4120] sections 3.2.2 and 3.2.4).

If the Kerberos client does not have network access to the KDC and KKDCP is supported, the Kerberos client calls ProxyMessage() ([MS-KKDCP] section 3.1.5.1) where:

• kerb-message contains the KRB_AS_REQ or KRB_TGS_REQ message.

• target-domain contains the realm field of the KRB_AS_REQ or KRB_TGS_REQ message ([RFC4120] section 5.4.1).

• dclocator-hint is the Flags parameter ([MS-NRPC] section 3.5.4.3.1) the client used to find a domain controller for the Kerberos message to determine that a KDC was not accessible.

If Output_kerb_message is returned, then process the KRB_AS_REP, KRB_TGS_REP, or KRB_ERROR message contained in Output_kerb_message.kerb-message. Otherwise, the Kerberos client fails.