3.2 Kerberos PAC Validation Details

Kerberos PAC validation SHOULD use the generic pass-through mechanism ([MS-NRPC] section 3.2.4.1). The KERB_VERIFY_PAC_REQUEST message (section 2.2.2.1) MUST be sent to the domain controller (DC) for privilege attribute certificate (PAC) verification. The signature verification algorithm MUST occur (section 3.2.5).