3.2.5.4 Processing a KERB_VERIFY_PAC_REQUEST Message

On receipt of the message, the DC MUST decode the KERB_VERIFY_PAC_REQUEST (section 2.2.4.1) message to locate the server checksum and the Key Distribution Center (KDC) checksum values. The DC MUST verify the KDC checksum, which is a keyed hash [RFC4757] over the server checksum passed in the request. If the checksum verification fails, the DC MUST return an error code, STATUS_LOGON_FAILURE (section 2.2) as the return value to the Netlogon Generic Pass-through method. If the checksum is verified, the DC MUST return STATUS_SUCCESS. There is no return message.

When the method completes, the server operating system MUST examine the return code to determine if the PAC contents has been altered. Any nonzero return code MUST be treated by the server operating system as a failure.