3.1.5.1.2 Service Receives S4U2self KRB_TGS_REP

Services can detect whether the KDC supports S4U by checking the cname of the returned ticket. KDCs that do not support S4U ignore the S4U2self and S4U2proxy data and return a service ticket with the cname that contains the name of the service that made the request ([RFC4120] section 3.3.3). In service tickets from KDCs that support S4U, the cname contains the name of the user.

Services can further detect if the KDC supports PA_S4U_X509_USER by checking the reply padata for a PA-S4U-X509-USER preauth data. Furthermore, the KDC uses this reply padata to return a normalized form of the user name. Service 1 MUST take the cname from the reply PA-S4U-X509-USER and use it to replace both the cname from PA-S4U-X509-USER and the userName from PA-FOR-USER in any subsequent KRB_TGS_REQ requests used to chase referrals back to Service 1’s realm. Additionally, the certificate is removed from the PA-S4U-X509-USER padata.