When the KDC verifies a PAC, it doesn't really need to check the server signature, since it can't trust that anyway. Allow the caller to pass only a TGT key. https://github.com/krb5/krb5/commit/1e34efd28bd6c7eae84b19f71c87b2ea58939c1a Commit By: ghudson Revision: 25532 Changed Files: U trunk/src/include/krb5/krb5.hin U trunk/src/lib/krb5/krb/pac.c