220.127.116.11 KDC Receives S4U2proxy KRB_TGS_REQ
If the service ticket in the additional-tickets field is not set to forwardable<20> and the PA-PAC-OPTIONS  ([MS-KILE] section 2.2.10) padata type has the resource-based constrained delegation bit:
Not set, then the KDC MUST return KRB-ERR-BADOPTION with STATUS_NO_MATCH.
Set and the USER_NOT_DELEGATED bit is set in the UserAccountControl field in the KERB_VALIDATION_INFO structure ([MS-PAC] section 2.5), then the KDC MUST return KRB-ERR-BADOPTION with STATUS_NOT_FOUND.
Service 1's KDC verifies both server ([MS-PAC] section 2.8.1) and KDC ([MS-PAC] section 2.8.2) signatures of the PAC. If Service 2 is in another domain, then its KDC verifies only the KDC signature of the PAC. If verification fails, the KDC MUST return KRB-AP-ERR-MODIFIED.