3.2.5.2.2 KDC Replies with Service Ticket

The KDC MUST reply with the service ticket where:

  • The sname field contains the name of Service 2.

  • The realm field contains the realm of Service 2.

  • The cname field contains the cname from the service ticket in the additional-tickets field.

  • The crealm field contains the crealm from the service ticket in the additional-tickets field.

  • The FORWARDABLE ticket flag is set.

  • The S4U_DELEGATION_INFO structure is in the new PAC.

The TGS returns the new service ticket in the KRB_TGS_REP message to Service 1.

If the PAC of the service ticket in the additional-tickets field does not have an S4U_DELEGATION_INFO structure ([MS-PAC] section 2.9), the KDC MUST add an S4U_DELEGATION_INFO structure to the new PAC where:

  • S4U2proxyTarget contains the name of Service 2.

  • TransitedListSize is set to 1.

Otherwise, if a PAC was provided, the KDC MUST copy the existing S4U_DELEGATION_INFO structure into the new PAC and increment the TransitedListSize field by 1.

The KDC MUST also add the name of Service 1 to the S4UTransitedServices list in the structure.