184.108.40.206.1 Sends S4U2proxy KRB_TGS_REQ
If Service 1 did not obtain a user's service ticket to Service 1 when the client connected to Service 1, then it can use S4U2self to obtain a user's service ticket to Service 1. If the user's service ticket is neither:
Forwardable; that is, the forwardable bit is set on the ticket
A nonforwardable S4U2self-generated user's service ticket for a nonsensitive user where:
then the SFU client SHOULD fail the request.
Service 1 requests a service ticket to Service 2 by sending a KRB_TGS_REQ message with the S4U2proxy extensions:
PA-PAC-OPTIONS  ([MS-KILE] section 2.2.10) padata type with the resource-based constrained delegation bit set.<10>
kdc-options field: MUST include the new cname-in-addl-tkt options flag.
additional-tickets field: The user's service ticket to Service 1.
sname and realm fields: the name and realm of Service 2.
If a nonforwardable S4U2self-generated user's service ticket for a nonsensitive user is used, then the SFU client SHOULD<11> locate a DS_BEHAVIOR_WIN2012 DC ([MS-KILE] section 220.127.116.11) to send the request.