Access Manager provides the Privileged Attribute Certificate (PAC) validation support for Kerberos authentication. PAC contains the information about a user’s privileges. Domain controllers add this information to Kerberos tickets when the user authenticates within an Active Directory domain.
When users use their Kerberos tickets to authenticate to other systems, PAC can be read and utilized to identify their level of rights without contacting the domain controller to request that information.
You can enable the PAC Validation feature on a Windows system. When enabled, PAC of a user authenticating to that system is checked against Active Directory to ensure that it is valid. You can enable PAC with a registry key found in [HKLMSYSTEMCurrentControlSetControlLsaKerberosParameters].