Service Sends S4U2self KRB_TGS_REQ

In the S4U2self request, the user is identified by the user realm and the user name or alternatively, by using the user's certificate if the service has it, as specified in sections and The user identification for these cases is carried in a PA-FOR-USER padata type or a PA-S4U-X509-USER padata type, respectively.

The SFU client SHOULD:<8>

  1. When sending the KRB_TGS_REQ message, add a PA-PAC-OPTIONS [167] ([MS-KILE] section 2.2.10) padata type with the claims bit set to request claims authorization data and with the resource-based constrained delegation bit set to inform the KDC that it supports resource-based constrained delegation.<9>

  2. When receiving the KRB_TGS_REP message, if the claims bit is set in PA-SUPPORTED-ENCTYPES [165] ([MS-KILE] section 2.2.8) and not set in PA-PAC-OPTIONS [167], the Kerberos client SHOULD locate a DS_BEHAVIOR_WIN2012 DC ([MS-KILE] section and go back to step 1.