diff --git a/kdc/default_config.c b/kdc/default_config.c
index 83c73504c..6bec10323 100644
--- a/kdc/default_config.c
+++ b/kdc/default_config.c
@@ -101,6 +101,7 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
     c->strict_nametypes = FALSE;
     c->trpolicy = TRPOLICY_ALWAYS_CHECK;
     c->require_pac = FALSE;
+    c->disable_pac = FALSE;
     c->enable_fast = TRUE;
     c->enable_armored_pa_enc_timestamp = TRUE;
     c->enable_unarmored_pa_enc_timestamp = TRUE;
@@ -263,6 +264,14 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
 				     "require_pac",
 				     NULL);
 
+    c->disable_pac =
+	krb5_config_get_bool_default(context,
+				     NULL,
+				     c->disable_pac,
+				     "kdc",
+				     "disable_pac",
+				     NULL);
+
     c->enable_fast =
 	krb5_config_get_bool_default(context,
 				     NULL,
diff --git a/kdc/kdc_locl.h b/kdc/kdc_locl.h
index 123b7e560..caee019af 100644
--- a/kdc/kdc_locl.h
+++ b/kdc/kdc_locl.h
@@ -100,6 +100,7 @@ struct krb5_kdc_configuration {
     enum krb5_kdc_trpolicy trpolicy;
 
     unsigned int require_pac : 1;
+    unsigned int disable_pac : 1;
     unsigned int enable_fast : 1;
     unsigned int enable_armored_pa_enc_timestamp : 1;
     unsigned int enable_unarmored_pa_enc_timestamp : 1;
diff --git a/kdc/misc.c b/kdc/misc.c
index 1c780df9f..34d93908a 100644
--- a/kdc/misc.c
+++ b/kdc/misc.c
@@ -348,6 +348,10 @@ _kdc_include_pac_p(astgs_request_t r)
     }
     if (r->server->flags.no_auth_data_reqd)
 	return FALSE;
+    if (r->server->flags.auth_data_reqd)
+	return TRUE;
+    if (r->config->disable_pac)
+        return FALSE;
 
     return !!(r->pac_attributes & (KRB5_PAC_WAS_REQUESTED | KRB5_PAC_WAS_GIVEN_IMPLICITLY));
 }
diff --git a/lib/krb5/krb5.conf.5 b/lib/krb5/krb5.conf.5
index 06d069d25..41b2d3b40 100644
--- a/lib/krb5/krb5.conf.5
+++ b/lib/krb5/krb5.conf.5
@@ -828,6 +828,11 @@ addresses in the tickets.
 .It Li allow-null-ticket-addresses = Va BOOL
 Allow address-less tickets.
 .\" XXX
+.It Li disable_pac = Va BOOL
+Do not include a PAC in service tickets.
+However, if a service has the
+.Li auth-data-reqd
+attribute then the KDC will include a PAC anyways.
 .It Li enable_fast = Va BOOL
 Enable RFC 6113 FAST support, this is enabled by default.
 .It Li enable_armored_pa_enc_timestamp = Va BOOL