3.3.5.6.4.6 PAC_CLIENT_CLAIMS_INFO Structure
If ClaimsCompIdFASTSupport is set to:
0: The KDC does not insert into the returned PAC a PAC_CLIENT_CLAIMS_INFO structure ([MS-PAC] section 2.11).
1: If a PA-PAC-OPTIONS [167] (section 2.2.10) padata type with the Claims bit set is in the AS-REQ, the KDC behaves as noted in the next step, "2 or 3". Otherwise, the KDC does not provide a PAC_CLIENT_CLAIMS_INFO structure.
2 or 3: The KDC SHOULD<58>
Add the CLAIMS_VALID SID ([MS-DTYP] section 2.4.2.4) to KERB_VALIDATION_INFO.ExtraSids.
Increment SidCount.
Add a PAC_CLIENT_CLAIMS_INFO structure as follows:
For KILE implementations that use Active Directory for the account database, KDCs retrieve the claims from the local directory service instance with the same processing rules as defined in GetClaimsForPrincipal procedure ([MS-ADTS] section 3.1.1.11.2.1) for message processing. The KDC populates the returned PAC_CLIENT_CLAIMS_INFO structure fields as follows:
The Claims field SHOULD be set to the ClaimsBlob.