The Privilege Attribute Certificate (PAC) Data Structure is used by authentication protocols (protocols that verify identities) to transport authorization information, which controls access to resources. Once authentication has been accomplished, the next task is to decide if a particular request is authorized. Management of network systems often models broad authorization decisions through groups; for example, all engineers that have access to a specific printer or all sales personnel that have access to a certain web server. Making group information consistently available to a number of services allows for simpler management.
The Kerberos protocol is one of the most commonly used authentication mechanisms. However, the Kerberos protocol [RFC4120] does not provide authorization; "kerberized" applications are expected to manage their own authorization, typically through names. Specifically, the Kerberos protocol does not define any explicit group membership or logon policy information to be carried in the Kerberos tickets; it leaves that for Kerberos extensions to provide a mechanism to convey authorization information by encapsulating this information within an AuthorizationData structure ([RFC4120] section 5.2.6). The Privilege Attribute Certificate (PAC) was created to provide this authorization data for Kerberos Protocol Extensions [MS-KILE].
[MS-KILE] encodes authorization information, which consists of group memberships, into a structure referred to as the PAC. In addition to membership information, the PAC includes additional credential information, profile and policy information, and supporting security metadata.<1>
Sections 1.7 and 2 of this specification are normative and can contain the terms MAY, SHOULD, MUST, MUST NOT, and SHOULD NOT as defined in [RFC2119]. All other sections and examples in this specification are informative.