3.1.5.2.2 Receives Referral

If Service 1 receives a referral ([RFC6806] section 8) and does not have its own service ticket for Service 2, then Service 1 SHOULD<12> obtain a service ticket for Service 2.

The SFU client SHOULD send a KRB_TGS_REQ message for the user to each referral KDC until it receives a referral TGT for Service 2’s realm. Because the SFU client already has a service ticket for Service 2 (that is, the service ticket obtained by Service 1 for itself), it has the name of Service 2’s realm. The SFU client SHOULD send a KRB_TGS_REQ with the S4U2proxy extensions using the Service 1’s referral TGT:

• kdc-options field: MUST include the new cname-in-addl-tkt options flag.

• additional-tickets field: The user's referral TGT.

• sname and realm fields: The name and realm of Service 2.