3.2.5 Message Processing Events and Sequencing Rules
If an implementation supports the SFU extensions, then the TGS-REQ processing rules in the following sections extend the rules in the related sections of [RFC4120] and [RFC6806].
If the KDC supports the Privilege Attribute Certificate Data Structure [MS-PAC], the SFU KDC MUST copy the populated fields from the PAC in the TGT to the newly created PAC and, after processing all fields it supports, the SFU KDC MUST generate a new Server Signature ([MS-KILE], section 3.3.5.6.4.3) and KDC Signature ([MS-KILE], section 3.3.5.6.4.4) which replace the existing signature fields in the PAC, as discussed in the sections that follow.
If the KDC does not support the Privilege Attribute Certificate Data Structure [MS-PAC], then the SFU KDC processes the IF-RELEVANT data as specified in related sections of [RFC4120].