diff --git a/lib/krb5/context.c b/lib/krb5/context.c
index c4fe5a63c..f87eb3fd0 100644
--- a/lib/krb5/context.c
+++ b/lib/krb5/context.c
@@ -242,6 +242,10 @@ init_context_from_config_file(krb5_context context)
     INIT_FLAG(context, flags, KRB5_CTX_F_ENFORCE_OK_AS_DELEGATE, FALSE, "enforce_ok_as_delegate");
     INIT_FLAG(context, flags, KRB5_CTX_F_REPORT_CANONICAL_CLIENT_NAME, FALSE, "report_canonical_client_name");
 
+    /* need to verify the PAC if we are going to report the canonical client name */
+    if (flags & KRB5_CTX_F_REPORT_CANONICAL_CLIENT_NAME)
+	flags |= KRB5_CTX_F_CHECK_PAC;
+
     if (context->default_cc_name)
 	free(context->default_cc_name);
     context->default_cc_name = NULL;
diff --git a/lib/krb5/krb5.conf.5 b/lib/krb5/krb5.conf.5
index 0a0fab071..bac94b5f7 100644
--- a/lib/krb5/krb5.conf.5
+++ b/lib/krb5/krb5.conf.5
@@ -518,9 +518,17 @@ If this flag is true, then all application protocol authentication
 requests will be flagged to indicate that the application supports
 channel bindings when operating over a secure channel.
 The default value is false.
+.It Li check_pac = Va boolean
+If this flag is true and a Windows Privilege Attribute Certificate (PAC)
+is present in the ticket authorization data, then
+.Xr krb5_rd_req 3
+will validate the PAC before returning success. The default value is true.
 .It Li report_canonical_client_name = Va boolean
 If this flag is true, then the canonical client name from the PAC will
 be used instead of the client name in the ticket. The default value is false.
+Note that setting it to true implicitly sets
+.Va check_pac
+to true.
 .El
 .It Li [domain_realm]
 This is a list of mappings from DNS domain to Kerberos realm.