1.3 Overview

This protocol extends Kerberos by specifying Service for User (S4U) extensions in relation to [RFC4120] and [RFC6806].

S4U supports two subprotocols: Service for User to Self (S4U2self) and Service for User to Proxy (S4U2proxy). Both of these extensions allow a service to request a ticket from the Key Distribution Center (KDC) on behalf of a user. A ticket can be retrieved by the service to itself by using S4U2self or to another service via S4U2proxy. The client name, realm, and authorization data in the service ticket that uses these extensions are of the user, not of the service making the S4U request. This contrasts with the Kerberos Protocol specified in [RFC4120] where any service tickets requested by a service will have the client name, realm, and authorization data of that requesting service.