When the KDC verifies a PAC, it doesn't really need to check the server signature, since it can't trust that anyway. Allow the caller to pass only a TGT key. http://src.mit.edu/fisheye/changelog/krb5/?cs=25532 Commit By: ghudson Revision: 25532 Changed Files: U trunk/src/include/krb5/krb5.hin U trunk/src/lib/krb5/krb/pac.c