diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c
index 59104da..eb35fac 100644
--- a/source4/heimdal/kdc/krb5tgs.c
+++ b/source4/heimdal/kdc/krb5tgs.c
@@ -793,15 +793,30 @@ tgs_make_reply(krb5_context context,
     et.flags.hw_authent  = tgt->flags.hw_authent;
     et.flags.anonymous   = tgt->flags.anonymous;
     et.flags.ok_as_delegate = server->entry.flags.ok_as_delegate;
+    if(rspac->length) {
+	/*
+	 * No not need to filter out the any PAC from the
+	 * auth_data since it's signed by the KDC.
+	 */
+	ret = _kdc_tkt_add_if_relevant_ad(context, &et,
+					  KRB5_AUTHDATA_WIN2K_PAC,
+					  rspac);
+	if (ret)
+	    goto out;
+    }
 	
     if (auth_data) {
+	int i = 0;
 	/* XXX Check enc-authorization-data */
-	et.authorization_data = calloc(1, sizeof(*et.authorization_data));
 	if (et.authorization_data == NULL) {
 	    ret = ENOMEM;
 	    goto out;
 	}
-	ret = copy_AuthorizationData(auth_data, et.authorization_data);
+	for(i=0;i<auth_data->len;i++) {
+		ret = add_AuthorizationData(et.authorization_data,&auth_data->val[i]);
+		if (ret)
+		  goto out;
+	}
 	if (ret)
 	    goto out;
 
@@ -820,17 +835,6 @@ tgs_make_reply(krb5_context context,
 	}
     }
 
-    if(rspac->length) {
-	/*
-	 * No not need to filter out the any PAC from the
-	 * auth_data since it's signed by the KDC.
-	 */
-	ret = _kdc_tkt_add_if_relevant_ad(context, &et,
-					  KRB5_AUTHDATA_WIN2K_PAC,
-					  rspac);
-	if (ret)
-	    goto out;
-    }
 
     ret = krb5_copy_keyblock_contents(context, sessionkey, &et.key);
     if (ret)