3.2.5.2.4 KDC Replies with Service Ticket

The KDC MUST reply with the service ticket where:

• The sname field contains the name of Service 2.

• The realm field contains the realm of Service 2.

• The cname field contains the cname from the service ticket in the additional-tickets field.

• The crealm field contains the crealm from the service ticket in the additional-tickets field.

• The S4U_DELEGATION_INFO structure is in the new PAC.

The TGS returns the new service ticket in the KRB_TGS_REP message to Service 1.

If the PAC of the service ticket in the additional-tickets field does not have an S4U_DELEGATION_INFO structure ([MS-PAC] section 2.9), the KDC MUST add an S4U_DELEGATION_INFO structure to the new PAC where:

• S4U2proxyTarget contains the name of Service 2.

• TransitedListSize is set to 1.

Otherwise, if a PAC was provided, the KDC MUST copy the existing S4U_DELEGATION_INFO structure into the new PAC and increment the TransitedListSize field by 1.

The KDC MUST also add the name of Service 1 to the S4UTransitedServices list in the structure.

Windows KDC constructs the impersonated client's principal name from the PAC. The cname and crealm in the KDC reply are set to the impersonated client's principal name, realm.