Anteckning
Åtkomst till den här sidan kräver auktorisering. Du kan prova att logga in eller ändra kataloger.
Åtkomst till den här sidan kräver auktorisering. Du kan prova att ändra kataloger.
When a KDC processes a TGS-REQ ([RFC4120] section 3.3.2) and if the Service 1 account is in the KDC's realm, the KDC MUST reply with the service ticket, where:
-
-
sname contains the name of Service 1.
-
realm contains the realm of Service 1.
-
cname contains the userName field of the PA-FOR-USER data.
-
crealm contains the userRealm fields of the PA-FOR-USER data.
-
If the TrustedToAuthenticationForDelegation parameter on the Service 1 principal is set to:
TRUE: the KDC MUST set the FORWARDABLE ticket flag ([RFC4120] section 2.6) in the S4U2self service ticket.
FALSE and ServicesAllowedToSendForwardedTicketsTo is nonempty: the KDC MUST NOT set the FORWARDABLE ticket flag ([RFC4120] section 2.6) in the S4U2self service ticket.<16>
If the DelegationNotAllowed parameter on the principal is set, then the KDC SHOULD NOT set the FORWARDABLE ticket flag ([RFC4120], section 2.6) in the S4U2self service ticket.<17>
If the KRB_TGS_REQ message contains a PA-S4U-X509-USER padata type, the KDC MUST include the PA-S4U-X509-USER padata type in the KRB_TGS_REP message.
If the KDC supports the Privilege Attribute Certificate Data Structure [MS-PAC], the KDC, when populating the KERB_VALIDATION_INFO Structure ([MS-KILE] section 3.3.5.6.4.1), MUST NOT include the AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY SID in the ExtraSids field and SHOULD<18> add the SERVICE_ASSERTED_IDENTITY SID ([MS-DTYP] section 2.4.2.4) instead.