4.1.2 Authorization Validation and Filtering

When a PAC is conveyed across a trust boundary, the receiving server addresses the threat of forged identities in the PAC. For example, the PAC might contain SIDs that are actually from the receiving server's domain rather than from the domain of the principal the PAC is supposed to represent. While a correctly functioning domain controller would not do that, if a domain controller were compromised by an attacker, the attacker might create arbitrary PACs in an effort to attack other domains.

To mitigate this threat, any KDC accepting a PAC from another domain through an interdomain trust has to filter out any SIDs that are not correct. To filter the SIDs and client names correctly and safely, an implementation can use the guidelines discussed in the following sections.<21><22>