Win logon to a MIT Kerberos V KDC?

Luke Howard lukeh at PADL.COM
Fri Sep 27 09:10:51 EDT 2002

Just for the record, a Windows 2000 client will send some preauth data
requesting that the PAC be included (this is described in John Brezak's
IETF draft specifying the PAC format). That may be what was being 
referred to in previous mails. The default is to include the PAC,
but it might be sensible for a UNIX-based KDC to make the default 
to not include the PAC.

Adding support to a KDC for the PAC is not that difficult if you have
a sensible architecture (for example, an integrated directory backend
for the KDC). The difficulty lies in some of the other, unpublished,
protocols which are necessary to domain logon. 

-- Luke

Luke Howard | PADL Software Pty Ltd |

More information about the Kerberos mailing list