Share via

3.1.5.2.1 Sends S4U2proxy KRB_TGS_REQ

  • Article

If Service 1 did not obtain a user's service ticket to Service 1 when the client connected to Service 1, then it can use S4U2self to obtain a user's service ticket to Service 1. If the user's service ticket is neither:

  • Forwardable; that is, the forwardable bit is set on the ticket

    nor

  • A nonforwardable S4U2self-generated user's service ticket for a nonsensitive user where:

    • Nonforwardable means the forwardable bit is not set on the ticket.

    • Nonsensitive user means the USER_NOT_DELEGATED bit is not set in the UserAccountControl field in the KERB_VALIDATION_INFO structure ([MS-PAC] section 2.5) of the ticket.

then the SFU client SHOULD fail the request.

Service 1 requests a service ticket to Service 2 by sending a KRB_TGS_REQ message with the S4U2proxy extensions:

  • PA-PAC-OPTIONS [167] ([MS-KILE] section 2.2.10) padata type with the resource-based constrained delegation bit set.<10>

  • kdc-options field: MUST include the new cname-in-addl-tkt options flag.

  • additional-tickets field: The user's service ticket to Service 1.

  • sname and realm fields: the name and realm of Service 2.

If a nonforwardable S4U2self-generated user's service ticket for a nonsensitive user is used, then the SFU client SHOULD<11> locate a DS_BEHAVIOR_WIN2012 DC ([MS-KILE] section 3.2.5.3) to send the request.