3.1.5.1.1.1 When to Use Each padata Type
What padata type Service 1 sends is determined by two factors. First, determine whether the TGT session key is of a newer type, defined here as ciphers that are not DES or RC4 based. Second, determine whether the client username was provided explicitly or was extracted from a certificate.
Service 1 SHOULD populate and send a PA-FOR-USER structure when one of the following is true:
No certificate was presented for the user.
No user name was explicitly provided, and instead a certificate was provided that contained the user name in the Subject Alternate Name (SAN) field.
Service 1 SHOULD populate and send a PA-S4U-X509-USER structure when one of the following is true:
No PA-FOR-USER is being sent.
The session key of the TGT being used is not a DES or RC4 key type.