diff --git a/lib/asn1/k5.asn1 b/lib/asn1/k5.asn1
index efe9b842e..dc410acf7 100644
--- a/lib/asn1/k5.asn1
+++ b/lib/asn1/k5.asn1
@@ -70,10 +70,11 @@ PADATA-TYPE ::= INTEGER {
 	KRB5-PADATA-TD-REQ-NONCE(107),		-- INTEGER
 	KRB5-PADATA-TD-REQ-SEQ(108),		-- INTEGER
 	KRB5-PADATA-PA-PAC-REQUEST(128),	-- jbrezak@exchange.microsoft.com
-	KRB5-PADATA-PK-AS-09-BINDING(132)	-- client send this to 
+	KRB5-PADATA-PK-AS-09-BINDING(132),	-- client send this to 
 						-- tell KDC that is supports 
 						-- the asCheckSum in the
 						--  PK-AS-REP
+	KRB5-PADATA-S4U2SELF(-17)
 }
 
 AUTHDATA-TYPE ::= INTEGER {
@@ -307,7 +308,7 @@ Authenticator ::= [APPLICATION 2] SEQUENCE    {
 	subkey[6]		EncryptionKey OPTIONAL,
 	seq-number[7]		krb5uint32 OPTIONAL,
 	authorization-data[8]	AuthorizationData OPTIONAL
-	}
+}
 
 PA-DATA ::= SEQUENCE {
 	-- might be encoded AP-REQ
@@ -601,6 +602,13 @@ PA-ENC-SAM-RESPONSE-ENC ::= SEQUENCE {
 	...
 }
 
+PA-S4U2Self ::= SEQUENCE {
+	name[0]		PrincipalName,
+        realm[1]	Realm,
+        cksum[2]	Checksum,
+        auth[3]		GeneralString
+}
+
 -- This is really part of CMS, but its here because KCRYPTO provides
 -- the crypto framework for CMS glue in heimdal.