3.2.5.2.1 Using ServicesAllowedToSendForwardedTicketsTo

If the KDC is for the realm of both Service 1 and Service 2, then the KDC checks if the security principal name (SPN) for Service 2, identified in the sname and srealm fields of the KRB_TGS_REQ message, is in the Service 1 account's ServicesAllowedToSendForwardedTicketsTo parameter. If it is, then the delegation policy is satisfied. If not, and the PA-PAC-OPTIONS [167] ([MS-KILE] section 2.2.10) padata type does not have the resource-based constrained delegation bit, then the KDC MUST return KRB-ERR-BADOPTION. If Service 1’s ServicesAllowedToSendForwardedTicketsTo parameter was empty, this is returned with STATUS_NOT_SUPPORTED, else STATUS_NO_MATCH.

If the service ticket in the additional-tickets field is not set to forwardable<19> and the PA-PAC-OPTIONS [167] ([MS-KILE] section 2.2.10) padata type does not have the resource-based constrained delegation bit set, then the KDC MUST return KRB-ERR-BADOPTION with STATUS_NO_MATCH.