4.2 Kerberos PAC Validation
Figure 3: PAC validation
The client tries to access a resource requiring Kerberos authentication. The client sends an AP-REQ message to request authentication from the server.
The server passes the PAC to the operating system to receive an access token. The server operating system forwards the PAC signature in the AP-REQ to the domain controller for verification in a KERB_VERIFY_PAC message.
The domain controller verifies the signature on the response and returns the result to the server. The error is returned as the appropriate RPC status code.
The server verifies the AP-REQ, and sends an AP-REP if the verification is successful.