diff --git a/src/ipahealthcheck/ipa/trust.py b/src/ipahealthcheck/ipa/trust.py
index 243502f..f7640e3 100644
--- a/src/ipahealthcheck/ipa/trust.py
+++ b/src/ipahealthcheck/ipa/trust.py
@@ -684,3 +684,23 @@ def check(self):
                          key='adtrustpackage',
                          msg='trust-ad sub-package is not installed. '
                          'Administration will be limited.')
+
+
+@registry
+class IPAauthzdatapacCheck(IPAPlugin):
+    """
+    Verify that the MS-PAC generation is not disabled
+    """
+    @duration
+    def check(self):
+        ipaconfig = api.Command.config_show(raw=True)
+        krbauthzdata = ipaconfig['result'].get('ipakrbauthzdata', tuple())
+        authzdata = 'MS-PAC'
+        if authzdata not in krbauthzdata:
+            yield Result(self, constants.ERROR,
+                         key=authzdata,
+                         error='access to IPA API will not work',
+                         msg='MS-PAC generation is not enabled '
+                         'in IPA configuration {key}: {error}')
+        else:
+            yield Result(self, constants.SUCCESS, key='MS-PAC')
diff --git a/tests/test_ipa_trust.py b/tests/test_ipa_trust.py
index 6c4754a..39ad6ec 100644
--- a/tests/test_ipa_trust.py
+++ b/tests/test_ipa_trust.py
@@ -23,7 +23,8 @@
                                       IPATrustControllerGroupSIDCheck,
                                       IPATrustControllerAdminSIDCheck,
                                       IPATrustControllerConfCheck,
-                                      IPATrustPackageCheck)
+                                      IPATrustPackageCheck,
+                                      IPAauthzdatapacCheck)
 
 from ipalib import errors
 from ipapython.dn import DN
@@ -1287,3 +1288,44 @@ def test_agent_without_package(self):
         assert result.source == 'ipahealthcheck.ipa.trust'
         assert result.check == 'IPATrustPackageCheck'
         sys.modules['ipaserver.install'] = save
+
+
+class TestConfiguration(BaseTest):
+
+    def test_ipakrbauthzdata_positive(self):
+        framework = object()
+        registry.initialize(framework, config.Config)
+        f = IPAauthzdatapacCheck(registry)
+
+        m_api.Command.config_show.side_effect = [{
+            'result': {
+                'ipakrbauthzdata': ['MS-PAC', 'nfs:NONE', ]
+            }
+        }]
+        self.results = capture_results(f)
+
+        assert len(self.results) == 1
+
+        result = self.results.results[0]
+        assert result.result == constants.SUCCESS
+        assert result.source == 'ipahealthcheck.ipa.trust'
+        assert result.check == 'IPAauthzdatapacCheck'
+
+    def test_ipakrbauthzdata_negative(self):
+        framework = object()
+        registry.initialize(framework, config.Config)
+        f = IPAauthzdatapacCheck(registry)
+
+        m_api.Command.config_show.side_effect = [{
+            'result': {
+                'ipakrbauthzdata': ['nfs:NONE', ]
+            }
+        }]
+        self.results = capture_results(f)
+
+        assert len(self.results) == 1
+
+        result = self.results.results[0]
+        assert result.result == constants.ERROR
+        assert result.source == 'ipahealthcheck.ipa.trust'
+        assert result.check == 'IPAauthzdatapacCheck'