3.3.5.6.4 Initial Population of the PAC

For KILE implementations that use Active Directory for the account database, the KDC will create a PAC. During processing of the AS request, the KDC searches Active Directory for the user or computer account that matches the cname that was sent in the AS-REQ message. The KDC then creates the PAC structure [MS-PAC] and encodes that into the TGT using the AD-IF-RELEVANT element ([RFC4120] section 5.2.6.1). The KDC MUST ensure that the PAC structure does not end with a zero-length buffer.