22.214.171.124.2 Receives Referral
The SFU client SHOULD send a KRB_TGS_REQ for the user to each referral Key Distribution Center (KDC) until it receives a referral ticket-granting ticket (TGT) for Service 2’s realm. Because the SFU client already has a service ticket for Service 2 (that is, the service ticket obtained by Service 1 for itself), it has the name of Service 2’s realm. The SFU client SHOULD send a KRB_TGS_REQ with the S4U2proxy extensions using the Service 1’s referral TGT:
kdc-options field: MUST include the new cname-in-addl-tkt options flag.
additional-tickets field: The user's referral TGT.
sname and realm fields: The name and realm of Service 2.