1.6.2 Kerberos PAC Validation

Figure 1: Kerberos PAC validation
Before Kerberos PAC validation occurs, the client has sent the privilege attribute certificate (PAC) to the service as a part of the Kerberos Protocol Extensions described in [MS-KILE]. The operating system on which the service runs validates the PAC to prevent PAC tampering by the service. PAC tampering can result in inappropriate elevation of privileges.
PAC validation is applicable for Kerberos applications that process and interpret the PAC and present that authorization data to additional services. It is optional for a self-contained application because the security threat that the protocol addresses is not relevant for self-contained applications.