[MS-SFU] 3.1.5.1.1.1 says the KDC SHOULD send PA_S4U_X509_USER pa-data
if the TGT session key is of a newer enctype. Our S4U2Self client
code has enforced this clause as if it were a MUST. For consistency
with Microsoft and interoperability with Heimdal (which does not
implement PA_S4U_X509_USER), stop enforcing this constraint.
[ghudson@mit.edu: compressed code slightly; wrote commit message]
projects / thirdparty / krb5.git / commit
