KDC Receives S4U2self KRB_TGS_REQ

When a KDC processes a TGS-REQ message ([RFC4120], section 3.3.2) and it is a S4U2self KRB_TGS_REQ message, the KDC MUST verify the client name as follows:

  • If the KDC supports the Privilege Attribute Certificate Data Structure [MS-PAC], a referral TGT is received and a PAC is provided, the Name field in the PAC_CLIENT_INFO structure MUST have the form of "client name@client realm".

  • If PA-S4U-X509-USER was sent in KRB_TGS_REQ message, the client name and client realm MUST match cname and crealm in the user-id field in PA-S4U-X509-USER.

  • Otherwise, the client name and client realm MUST match userName and userRealm in PA-FOR-USER sent in KRB_TGS_REQ message.

If any of these verifications fails, the KDC MUST return KDC_ERR_POLICY.