3.3.5.3 PAC Generation

  • Article

In either of the following two cases, a PAC [MS-PAC] MUST be generated and included in the response by the KDC:<47>

  • During an Authentication Service (AS) request or Ticket Granting Service (TGS) request where the requested ticket is a Ticket-Granting Ticket (TGT) (including referrals and tickets to Read-Only Domain Controllers (RODCs)).

  • During a TGS request that results in a service ticket unless the NA bit is set in the UserAccountControl field in the KERB_VALIDATION_INFO structure ([MS-PAC] section 2.5) or the source ticket PAC contains a PAC_ATTRIBUTES_INFO structure ([MS-PAC] section 2.14) showing that the PAC was not requested (implicitly or explicitly).

Otherwise, the response will not contain a PAC.

Note  Population of the PAC is covered in the corresponding KDC details sections.