KDC Receives S4U2proxy KRB_TGS_REQ

When a KDC processes a TGS-REQ ([RFC4120] section 3.3.2) and it is a S4U2proxy KRB_TGS_REQ message, the KDC will perform the following steps.

If the service ticket in the additional-tickets field is not set to forwardable<21> and the PA-PAC-OPTIONS [167] ([MS-KILE] section 2.2.10) padata type has the resource-based constrained delegation bit:

  • Not set, then the KDC MUST return KRB-ERR-BADOPTION with STATUS_NO_MATCH.

  • Set and the USER_NOT_DELEGATED bit is set in the UserAccountControl field in the KERB_VALIDATION_INFO structure ([MS-PAC] section 2.5), then the KDC MUST return KRB-ERR-BADOPTION with STATUS_NOT_FOUND.

Service 1's KDC verifies both server ([MS-PAC] section 2.8.1) and KDC ([MS-PAC] section 2.8.2) signatures of the PAC. If Service 2 is in another domain, then its KDC verifies only the KDC signature of the PAC. If verification fails, the KDC MUST return KRB-AP-ERR-MODIFIED.

When a KDC determines that a referral TGT is required ([Referrals] section 8), then if Service 2 is not in the KDC's realm, the KDC SHOULD reply with referral TGT (section<22>