3.2.5.1.1 KDC Replies with Referral TGT

When a KDC determines that a referral TGT is required ([RFC6806] section 8), if Service 1 is not in the KDC's realm, the KDC replies with referral TGT where:

• KRB_TGS_REP cname contains the name of Service 1.

• KRB_TGS_REP crealm contains the realm of Service 1.

• If the KDC supports the Privilege Attribute Certificate Data Structure [MS-PAC], and a PAC is provided, the referral TGT Name field in the PAC_CLIENT_INFO structure of the PAC contains username@userRealm. This format is the syntax of the single-string representation ([RFC1964] section 2.1.1) using the username and userRealm fields from the PA-FOR-USER pre-authentication data.