All Key Distribution Centers (KDCs) and Kerberos servers that send or receive the Service for User (S4U) extensions in the KRB_TGS_REQ and KRB_TGS_REP messages have to recognize the protocol extensions. Services can detect whether the KDC supports these extensions by checking the client name of the returned ticket. KDCs that do not understand these extensions will return the client name as the service that is making the request. KDCs that understand these extensions either return an error or return a service ticket that contains the client name as the user, not the service that is making the request.<4>
To support the lookup of users based on a supplied certificate, an accounts database is available to the KDC that supports looking up user accounts using one or more fields present in the certificate.