Architectural Question...

Luke Howard lukeh at PADL.COM
Fri Feb 14 06:22:03 EST 2003


>Can you provide any references or documentation on this?  I have looked
>through all of the Microsoft documents I can get a hold of, and can find
>no information on this.

A brief overview is given at:

http://www.usenix.org/publications/login/1998-5/brundrett.html

The PAC verification RPC will be made by the LSA when a client provides a
PAC in the AP_REQ, the server is not running as the Local System Account,
and the server calls ImpersonateSecurityContext(). One can modify the 
MSDN sample SSPI server fairly easily to trigger this.

The RPC is to avoid the privilege esclation that would arise from a server
running with less privilege forging a ticket to itself with privileged
authorization data and asking the LSA to impersonate.

-- Luke

--
Luke Howard | PADL Software Pty Ltd | www.padl.com


More information about the Kerberos mailing list