3.3.5.7.2 TGT without a PAC
If a TGS request includes a TGT without a PAC, the KDC SHOULD add a PAC before issuing the service ticket. This occurs when the TGT was issued by a pure realm [RFC4120] that is trusted by the domain. The PAC MUST be inserted when there is a mapping to a domain user. There are two ways to discover the mapped user:
If the KDC is configured locally to map principals in the realm to accounts based on name [RFC4120]. In this case, the KDC MUST search the mapping for a principal with the same name.
If there is no default mapping rule established, the KDC MUST search Active Directory for an account which is associated with the name in the TGT.
If a matching account is found and the Application Server's service account AuthorizationDataNotRequired is set to FALSE, the KDC MUST use that account to construct a PAC and insert it into the resulting service ticket. Otherwise, the service ticket MUST be issued without a PAC.