Allows a service using Kerberos for authentication to obtain a Kerberos service ticket to itself on behalf of a user or proxy without requiring the user or proxy to be a part of the Kerberos environment. Since the intermediary is a member of the domain, it has the ability to transition the client request from a non-Kerberos model (CAC, X.509 certificate) to a required Kerberos model (username, domain membership, etc.)