188.8.131.52.2 Receives Referral
The SFU client SHOULD send a KRB_TGS_REQ message for the user to each referral KDC until it receives a referral TGT for Service 2’s realm. Because the SFU client already has a service ticket for Service 2 (that is, the service ticket obtained by Service 1 for itself), it has the name of Service 2’s realm. The SFU client SHOULD send a KRB_TGS_REQ with the S4U2proxy extensions using the Service 1’s referral TGT:
kdc-options field: MUST include the new cname-in-addl-tkt options flag.
additional-tickets field: The user's referral TGT.
sname and realm fields: The name and realm of Service 2.