Using Windows AD generated Kerberos tickets without a PAC
Douglas E. Engert
deengert at anl.gov
Wed Aug 18 11:55:41 EDT 2004
The long awaited change from Microsoft is finally out. The change to AD allows
a bit to be set in the userAccountControl that says that service tickets created
for this service should not include a PAC. This will make them substantially
smaller, and usable with UDP or other places where size is a problem.
This change was originally requested almost a year ago for use with OpenAFS.
Since then OpenAFS in release 1.3.70 has made change to allow for larger tickets.
But there may still be situations where this patch may be usefull, such as
with other UDP based protocols, or with older Kerberos versions that do not
support TCP to the KDC.
"An update is available that introduces the NO_AUTH_REQUIRED flag to
the UserAccountControl property in Windows 2000"
http://support.microsoft.com/?kbid=832572
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list