3.2 Kerberos PAC Validation Details

Kerberos PAC validation SHOULD use the generic pass-through mechanism ([MS-NRPC] section 3.2.4.1). The NETLOGON_TICKET_LOGON_INFO message (section 2.2.2.1) MUST be sent to the domain controller (DC) for privilege attribute certificate (PAC) verification. The ticket verification algorithm MUST occur (section 3.2.5).