Win logon to a MIT Kerberos V KDC?
lukeh at PADL.COM
Fri Sep 27 09:10:51 EDT 2002
Just for the record, a Windows 2000 client will send some preauth data
requesting that the PAC be included (this is described in John Brezak's
IETF draft specifying the PAC format). That may be what was being
referred to in previous mails. The default is to include the PAC,
but it might be sensible for a UNIX-based KDC to make the default
to not include the PAC.
Adding support to a KDC for the PAC is not that difficult if you have
a sensible architecture (for example, an integrated directory backend
for the KDC). The difficulty lies in some of the other, unpublished,
protocols which are necessary to domain logon.
Luke Howard | PADL Software Pty Ltd | www.padl.com
More information about the Kerberos