3.3.5.3 PAC Generation
In either of the following two cases, a PAC [MS-PAC] MUST be generated and included in the response by the KDC when the client has requested that a PAC be included. The request to include a PAC is expressed through the use of a KERB-PA-PAC-REQUEST (section 2.2.3) padata type that is set to TRUE:
During an Authentication Service (AS) request that has been validated with pre-authentication and for which the account has AuthorizationDataNotRequired set to FALSE.
During a TGS request that results in a service ticket unless the NA bit is set in the UserAccountControl field in the KERB_VALIDATION_INFO structure ([MS-PAC] section 2.5).
Otherwise, the response will not contain a PAC.
Note Population of the PAC is covered in the corresponding KDC details sections.