3.2.5.2.3 Using ServicesAllowedToReceiveForwardedTicketsFrom

If the delegation policy was not satisfied via ServicesAllowedToSendForwardedTicketsTo, this is the KDC for Service 2, and the Service 2 account's ServicesAllowedToReceiveForwardedTicketsFrom is nonempty and cname in the encrypted part of both TGTs match, the KDC creates a Token/Authorization Context ([MS-DTYP] section 2.5.2) for Service 1 from the PAC data in Service 1's TGT. Then the KDC performs an access check using the ServicesAllowedToReceiveForwardedTicketsFrom parameter.<21> If the access check succeeds, then the KDC replies with a service ticket for Service 2. If the access check fails, the KDC MUST return KRB-ERR-BADOPTION with STATUS_NOT_FOUND.

If the service ticket in the additional-tickets field is not set to forwardable,<22> and the USER_NOT_DELEGATED bit is set in the UserAccountControl field in the KERB_VALIDATION_INFO structure ([MS-PAC] section 2.5), then the KDC MUST return KRB-ERR-BADOPTION with STATUS_ACCOUNT_RESTRICTION ([MS-ERREF] section 2.3.1).

When a KDC determines that a referral TGT is required ([RFC6806] section 8), then if Service 2 is not in the KDC's realm, the KDC SHOULD<23> reply with referral TGT (section 3.2.5.1.1).