Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
PAC signatures have a significance in relation to the PAC and an order of processing.
The ticket signature doesn’t cover the PAC, so it can be calculated early. It is calculated first and populated before any of the PAC signatures are calculated.
The extended KDC signature MUST be zeroed along with the server signature and KDC signature.
The KDC signature is a counter signature of the server signature, so it MUST be computed after the server signature. It’s calculated last and always zero when the PAC signatures are calculated.
Generate the PAC as follows:
Build the PAC. This includes not just the authorization data, but also the ticket signature which can be computed before the PAC is complete. Build the PAC with zeroes as placeholders in all the buffers that will be filled in later.
Sign the PAC. Perform the extended KDC signature and the server signature in that order.
Do post-signing tasks, which means counter-signing the server signature to produce the KDC signature.
The following sections define each signature's generation and calculation process.