4.1.2.1 Rules for SID Inclusion in the PAC

The following rules apply for domain local SIDs, domain global SIDs, and universal group SIDs:

1. The domain global and universal group SIDs are added to the PAC by the KDC when the initial ticket-granting ticket (TGT) is returned to the client during the Kerberos AS exchange, as specified in [RFC4120].

2. The SIDs from the TGT's PAC that the client returns during the Kerberos ticket-granting service (TGS) exchange are copied into the referral or renewed TGT's PAC by the KDC, as specified in [RFC4120]. If the TGT returned by the client is a service ticket that is not a referral TGT, the domain local group SIDs is included in the PAC by the KDC.

3. Domain local group SIDs must be added to the PAC by the KDC for password requests, as specified in [RFC3244].

The following rules apply for domain controller SIDs:

1. The enterprise domain controller SID ([MS-ADTS] section 6.1.1.2.6.9) is added to the PAC by the KDC if the ADS_UF_SERVER_TRUST_ACCOUNT flag is set in the authenticating security principal's userAccountControl attribute in Active Directory ([MS-ADTS] section 2.2.16).

2. The enterprise read-only domain controller SID ([MS-ADTS] section 6.1.1.2.6.10) is added to the PAC by the KDC if both the ADS_UF_WORKSTATION_ACCOUNT and the ADS_UF_PARTIAL_SECRETS_ACCOUNT flags are set in the security principal's userAccountControl attribute in Active Directory ([MS-ADTS] section 2.2.16).