![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
624 questions
Hello JC-RAD,
Thank you for posting in Microsoft Community forum.
Do REGISTRY settings for PAC validation need to be made on CLIENTS AND SERVER to test ENFORCEMENT or just the SERVER?
A: I think just Domain Controller servers (KDC servers). The "Kerberos server" is the domain controller running the KDC service that both accepts inbound Kerberos authentication requests and is responsible for PAC validation.
1.The KDC is a core function provided by a domain controller. Its primary role is to issue Kerberos tickets after authenticating a user’s credentials.
2.When a client requests access to a service, the KDC issues a service ticket that includes a PAC, which contains user authorization information. The KDC (or sometimes the service that receives the ticket) then performs PAC validation to ensure that the data hasn’t been tampered with.
3.The security update includes registry keys specifically designed to control or audit how PAC validation is performed. These keys only need to be deployed on the server that will handle these inbound Kerberos requests—that is, the domain controller acting as the KDC.
I hope the information above is helpful.
If you have any question or concern, please feel free to let us know.
Best Regards,
Daisy Zhou