3.2.5.1.2 KDC Replies with Service Ticket

When a KDC processes a TGS-REQ ([RFC4120] section 3.3.2) and if the Service 1 account is in the KDC's realm, the KDC MUST reply with the service ticket, where:

sname contains the name of Service 1.

realm contains the realm of Service 1.

cname contains the userName field of the PA-FOR-USER data.

crealm contains the userRealm fields of the PA-FOR-USER data.

If the TrustedToAuthenticationForDelegation parameter on the Service 1 principal is set to:

TRUE: the KDC MUST set the FORWARDABLE ticket flag ([RFC4120] section 2.6) in the S4U2self service ticket.

FALSE and ServicesAllowedToSendForwardedTicketsTo is nonempty: the KDC MUST NOT set the FORWARDABLE ticket flag ([RFC4120] section 2.6) in the S4U2self service ticket.<16>

If the DelegationNotAllowed parameter on the principal is set, then the KDC SHOULD NOT set the FORWARDABLE ticket flag ([RFC4120], section 2.6) in the S4U2self service ticket.<17>

If the KRB_TGS_REQ message contains a PA-S4U-X509-USER padata type, the KDC MUST include the PA-S4U-X509-USER padata type in the KRB_TGS_REP message.

If the KDC supports the Privilege Attribute Certificate Data Structure [MS-PAC], the KDC, when populating the KERB_VALIDATION_INFO Structure ([MS-KILE] section 3.3.5.6.4.1), MUST NOT include the AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY SID in the ExtraSids field and SHOULD<18> add the SERVICE_ASSERTED_IDENTITY SID ([MS-DTYP] section 2.4.2.4) instead.