3.2.5.6 Forwardable TGT Request

When the client requests a forwardable TGT ([RFC4120] Section 2.6) for the application server, the client SHOULD:<36>

  • Set the etype field of the TGS-REQ to the contents of the keytype field in the previous TGS-REP to specify the common encryption type.

  • Provide a PA-SUPPORTED-ENCTYPES [165] value (section 2.2.7) for padata, based on the encryption types (section 3.1.5.2) mutually supported by the KDC and the application server for the session key with the delegated TGT. The client uses the KDC encryption types provided in the AS-REP from the KDC and the application server encryption types provided in the previous TGS-REP message for the application server.