Created attachment 11781 [details] patch for master
The S-1-18-1 (Authentication authority asserted identity) is typically part of the PAC validation info3 from Windows Server 2012 and should be ommitted for the token calculation as it remains as an unmapped group.
Comment on attachment 11781 [details] patch for master LGTM
Andreas: please close the bug if fixed or assign it accordingly
In master as ecc7022d7c3cd481b0caf6c9c48c72ea3e7ac822.