188.8.131.52 PAC Generation
In either of the following two cases, a PAC[MS-PAC] MUST be generated and included in the response by the KDC when the client has requested that a PAC be included. The request to include a PAC is expressed through the use of a KERB-PA-PAC-REQUEST (section 2.2.2) PA-DATA type that is set to TRUE:
During an Authentication Service (AS) request that has been validated with pre-authentication and for which the account has AuthorizationDataNotRequired set to FALSE.
Otherwise, the response will not contain a PAC.
Note Population of the PAC is covered in the corresponding KDC details sections.