3.2.5.2.2 Verification of the PAC

Service 1's KDC verifies both server ([MS-PAC] section 2.8.4) and KDC ([MS-PAC] section 2.8.5) signatures of the PAC. Because Service 1’s KDC is ingesting a service ticket rather than a TGT, it SHOULD also ensure the integrity of the service ticket by verifying the ticket signature ([MS-PAC] section 2.8.3).<20> If Service 2 is in another domain, then its KDC verifies only the KDC signature of the PAC. If verification fails, the KDC MUST return KRB-AP-ERR-MODIFIED.