Export (0) Print
Expand All

3.3.5.3 PAC Generation

In either of the following two cases, a PAC[MS-PAC] MUST be generated and included in the response by the KDC when the client has requested that a PAC be included. The request to include a PAC is expressed through the use of a KERB-PA-PAC-REQUEST (section 2.2.2) PA-DATA type that is set to TRUE:

  • During an Authentication Service (AS) request that has been validated with pre-authentication and for which the account has AuthorizationDataNotRequired set to FALSE.

  • During a TGS request that results in a service ticket unless the NA bit is set in the UserAccountControl field in the KERB_VALIDATION_INFO structure ([MS-PAC] section 2.5).

Otherwise, the response will not contain a PAC.

Note  Population of the PAC is covered in the corresponding KDC details sections.

 
Show:
© 2014 Microsoft