Access Manager adds the Privileged Attribute Certificate (PAC) validation support for Kerberos authentication. PAC contains the information about a user’s privileges. Domain controllers add this information to Kerberos tickets when the user authenticates within an Active Directory domain.
When users use their Kerberos tickets to authenticate to other systems, the PAC can be read and utilized to identify their level of rights without contacting the domain controller to request that information.
The PAC Validation is a feature that can be enabled or disabled on a Windows system. When enabled, the PAC of a user authenticating to that system will be checked against the Active Directory to make sure it is valid. The PAC can be enabled with a registry key found in [HKLMSYSTEMCurrentControlSetControlLsaKerberosParameters].
New properties are to be added to method configuration while using Kerberos class under Methods. See Creating the Authentication Class, Method, and Contract.