Why! Won't! PAC (Privilege Attribute Certificate) validation in Microsoft Kerberos Turn! Off!

The reason for the Shatneresque drama in the title is that there are times when you expect that the PAC validation disabling action should work to prevent PAC validation but it does not. If your environment is in a situation where disabling PAC validation is a priority then this can lead to some serious angst […]

The reason for the Shatneresque drama in the title is that there are times when you expect that the PAC validation disabling action should work to prevent PAC validation but it does not. If your environment is in a situation where disabling PAC validation is a priority then this can lead to some serious angst and maybe even some hair pulling if you see unexpected results.

As a recap, PAC validation takes place when an application which is trusted for delegation attempts to reuse a Kerberos ticket from an impersonated or delegated user which it has already locally cached. This action essentially initiated a quick check to make sure that the PAC-which contains the core information on who the user is and what privileges in the environment he or she has-hasn’t been tampered with.

Full Article