Event ID 7 — Privilege Attribute Certificate Configuration

Applies To: Windows Server 2008 R2

The Kerberos Privilege Attribute Certificate (PAC) contains all of the group memberships for the security principal requesting access to a resource. This certificate is transferred to the client by using the Key Distribution Center (KDC).

Event Details

Product: Windows Operating System
ID: 7
Source: Microsoft-Windows-Security-Kerberos
Version: 6.1
Symbolic Name: KERBEVT_KRB_PAC_VERIFICATION_FAILURE
Message: The digitally signed Privilege Attribute Certificate (PAC) that contains the authorization information for client %1 in realm %2 could not be validated.

This error is usually caused by domain trust failures; please contact your system administrator.

Resolve

Reset the secure channel between trusts

A secure channel helps secure session communication across a trust relationship. Kerberos uses a secure channel to authenticate users and computers. The secure channel must be available for Kerberos authentication to operate correctly. When a trust is verified, the secure channel is reset.

Note: The name of the domain is identified in the event log message.

To perform this procedure, you must have membership in the Domain Admins group or the Enterprise Admins group, or you must have been delegated the appropriate authority.

To reset the secure channel between trusts:

  1. Log on to a domain controller in the forest.
  2. Click Start, point to Administrative Tools, and then click Active Directory Domains and Trusts.
  3. Right-click the domain that contains the trust for which you want reset the secure channel, and then click Properties.
  4. Click the Trusts tab.
  5. Click the trust to be verified, and then click Properties.
  6. Click Validate.
  7. Click Yes, validate the incoming trust.
  8. Provide administrative credentials for the reciprocal domain, and then click OK.

Verify

To verify that the Kerberos Privilege Attribute Certificate (PAC) is present and functioning correctly, you should ensure that a Kerberos ticket was received from the Key Distribution Center (KDC) and cached on the local computer. You can view cached Kerberos tickets on the local computer by using the Klist command-line tool.

Note: Klist.exe is not included with Windows Vista, Windows Server 2003, Windows XP, or Windows 2000. You must download and install the Windows Server Resource Kit before you can use Klist.exe.

To view cached Kerberos tickets by using Klist:

  1. Log on to a Kerberos client computer within your domain.
  2. Click Start, point to All Programs, click Accessories, and then click Command Prompt.
  3. Type klist tickets, and then press ENTER.
  4. Verify that a cached Kerberos ticket is available.
    • Ensure that the Client field displays the client on which you are running Klist.
    • Ensure that the Server field displays the domain in which you are connecting.
  5. Close the command prompt.

Privilege Attribute Certificate Configuration

Core Security