Specify whether Kerberos PAC Checksum validation should be done

This group policy specifies whether or not to verify that the user's PAC (Privilege Authorization Certificate) information is from a trusted KDC (Key Distribution Center) so as to prevent what's referred to as a "silver ticket" attack.

When performing credential verification, a service ticket is fetched for the local system. After the credential is verified, the local system uses the PAC information in the service ticket.

This group policy takes effect when the policy is enabled or when DirectControl is using the user's PAC from a service ticket. This setting does not apply to retrieving the PAC by way of the S4U2Self protocol.

There are 3 possible values for this policy:

  • disabled (default): NO PAC validation will be done at all.
  • enabled: If PAC Validation fails, the PAC information is used and the user login is allowed.
  • enforced: If PAC Validation fails, the PAC information is discarded and the user login is denied.

Setting this group policy to enabled or enforced will have significant impact on the user login and user's group fetch performance.