3.1.5.1.1.1 When to Use Each padata Type

  • Article

What padata type Service 1 sends is determined by two factors.  First, determine whether the TGT session key is of a newer type, defined here as ciphers that are not DES or RC4 based.  Second, determine whether the client username was provided explicitly or was extracted from a certificate.

Service 1 SHOULD populate and send a PA-FOR-USER structure when one of the following is true:

  • No certificate was presented for the user.

  • No user name was explicitly provided, and instead a certificate was provided that contained the user name in the Subject Alternate Name (SAN) field.

Service 1 SHOULD populate and send a PA-S4U-X509-USER structure when one of the following is true:

  • No PA-FOR-USER is being sent.

  • The session key of the TGT being used is not a DES or RC4 key type.