220.127.116.11.1.2 Sending the S4USelf KRB_TGT_REQ
Service 1 uses the name and realm of the user to locate the appropriate domain controller (DC) to provide the authorization information for the user. The user's realm can be found by local policy, or, if the user name is a user principal name, by using KRB_AS_REQ and KRB-ERROR messages as follows. Service 1 sends a KRB_AS_REQ message without any pre-authentication to Service 1's KDC. If this KDC holds the user's account, then it MUST return KDC_ERR_PREAUTH_REQUIRED, and the user's realm is handled by the KDC. Otherwise, the KDC can refer Service 1 to another realm that might contain the user account or that might have better information about the realm of the user account, as specified in [RFC6806] section 4. The KDC does this by returning a KDC_ERR_WRONG_REALM error (as specified in [RFC4120] section 7.5.9) in the KRB_ERROR message and setting the crealm field to the next realm to try. Service 1 then sends a KRB_AS_REQ message to the next realm, repeating the process until it reaches a KDC in the user's realm or receives some other error.
After the realm with the user's account is identified, Service 1 begins the protocol to retrieve the service ticket on behalf of the user. The first step is for the service to retrieve a TGT to the ticket-granting service (TGS) in the user's realm.
If the user's realm is the same as Service 1's realm, the service already has the TGT that it needs. If the user's account is in a different realm, the service constructs a KRB_TGS_REQ message with the name of the TGS of the user's realm as the sname field in the request. The cname and crealm fields are set to the name and realm of Service 1. See [RFC4120] section 5.3 for the use of sname and cname. If there is not a direct trust relationship with an inter-realm key between Service 1's realm and the user's realm, the service's TGS MUST return a TGT to a realm closer to the user's realm. This process is repeated until Service 1 obtains a TGT to a TGS in the user's realm.
Using the TGT to the TGS in the user's realm, Service 1 requests a service ticket to itself.
If Service 1 sends a PA-FOR-USER (ID129) structure, it consists of four fields: userName, userRealm, cksum, and auth-package. Service 1 sets these fields as follows: The userName is a structure consisting of a name type and a sequence of a name string (as specified in [RFC4120] section 6.2). The name type and name string fields are set to indicate the name of the user. The default name-type is NT_UNKNOWN. The userRealm is the realm of the user account. If the user realm name is unknown, Service 1 SHOULD use its own realm name. The auth-package field MUST be set to the string, "Kerberos". The auth-package field is not case-sensitive.
If sending a PA-S4U-X509-USER (ID 130) structure, the cname and crealm should contain the same values as used for userName and userRealm in a PA-FOR-USER. If a client certificate was provided, the subject-certificate field MUST contain the client's X509 certificate encoded in ASN.1, as specified in [RFC3280].
Multiple intermediate realms might need to be transited. Service 1 MUST send a KRB_TGS_REQ with the S4U2self data in the PA-FOR-USER structure to each TGS in turn along the referral path specified in [RFC6806].