Kerberos PAC validation

 

 
basically, all Kerberos tickets in windows have a PAC (that holds all the groups of the identity). If the resource that is accessed is NOT running under system account (but user/service), the resource will issue a verification of the PAC at the nearest domain controller. That DC will verify the PAC load and will give the green light.
 
So in real world: 
 
Say you have a resource, a dc and a client. The clients accesses the resource that is running under a service account, the client retrieves the Kerberos ticket for the resource (if SPN’s are registered etc etc) and the client can access. (the resource will get the PAC load, give it to the DC etc). Now the kerberos ticket the client got will be valid for 10 hours offcourse, but lets say the connection to the resource is broken (user closes application or something) and the DC goes down.. now even if the user reconnects to the resource within that 10 hour limit, he will NOT gain access to the resource since the PAC validation will fail! The KB talks about the resolution for that.