3.1.5.2.1 Sends S4U2proxy KRB_TGS_REQ

If Service 1 did not obtain a user's service ticket to Service 1 when the client connected to Service 1, then it can use S4U2self to obtain a user's service ticket to Service 1. If the user's service ticket is neither:

• Forwardable; that is, the forwardable bit is set on the ticket

  nor

• A nonforwardable S4U2self-generated user's service ticket for a nonsensitive user where:

  • Nonforwardable means the forwardable bit is not set on the ticket.

  • Nonsensitive user means the USER_NOT_DELEGATED bit is not set in the UserAccountControl field in the KERB_VALIDATION_INFO structure ([MS-PAC] section 2.5) of the ticket.

then the SFU client SHOULD fail the request.

Service 1 requests a service ticket to Service 2 by sending a KRB_TGS_REQ message with the S4U2proxy extensions:

• PA-PAC-OPTIONS [167] ([MS-KILE] section 2.2.10) padata type with the resource-based constrained delegation bit set.<10>

• kdc-options field: MUST include the new cname-in-addl-tkt options flag.

• additional-tickets field: The user's service ticket to Service 1.

• sname and realm fields: the name and realm of Service 2.

If a nonforwardable S4U2self-generated user's service ticket for a nonsensitive user is used, then the SFU client SHOULD<11> locate a DS_BEHAVIOR_WIN2012 DC ([MS-KILE] section 3.2.5.3) to send the request.