To validate a password or PassTicket, RACF®:

1. Determines whether the value in the password field is the RACF password for the user ID.
   • If it is the RACF password, the validation is complete.
   • If it is not the RACF password, processing continues.
2. Determines whether a secured signon application profile has been defined for the application in the PTKTDATA class.
   • If a profile has not been defined, RACF sends a message to the user ID indicating that the password is not valid.
   • If the application is defined to the PTKTDATA class, processing continues.
3. Evaluates the value entered in the password field. The evaluation determines whether:
   • The value is a PassTicket consistent with this user ID, application, and time range.
   • When PassTicket replay protection is in effect (replay protection is not being bypassed), RACF checks to be sure the PassTicket has not been used previously on this computer system for this user ID, application, and time range.
   Note: A PassTicket is considered to be within the valid time range when the time of generation (with respect to the clock on the generating computer) is within plus or minus 10 minutes of the time of evaluation (with respect to the clock on the evaluating computer).

   If the value is determined to be a valid PassTicket, the user is allowed access to the desired application. If the value is not a valid PassTicket, RACF sends a message indicating that the user entered a password that is not valid.

4. Gives the user ID access to the desired application if the PassTicket is valid.