Microsoft PAC field
Markus Moeller
huaraz at moeller.plus.com
Thu Jul 15 17:56:49 EDT 2004
Sam
the document
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnkerb/html/MSDN_PAC.asp
says:
The PAC is generated by the KDC under the following conditions:
a.. During an AS request that has been validated with pre-authentication.
b.. During a TGS request when the client has no PAC and the target is a
service in the domain or a ticket granting service (referral ticket).
which I interpret that the authorisation data are send as part of an AS-REP
or TGS-REP and if it is an AS-REP stored in the credential cache. I can see
that the size of my credential cache is much bigger after a kinit with PAC
enabled compared to PAC disabled and it increases if I am a member of more
groups. So I would expect to read the authorisation data from the cache and
since the authorisation data is signed there shouldn't be any threat from a
spoofed kdc, when this data is forwarded to a server.
Thanks
Markus
"Sam Hartman" <hartmans at MIT.EDU> wrote in message
news:tslr7rdp024.fsf at cz.mit.edu...
> >>>>> "Markus" == Markus Moeller <huaraz at moeller.plus.com> writes:
>
> Markus> Has anybody tried to use the PAC field with MIT Kerberos ?
> Markus> I tried after a kinit against a w2k kdc to look at the
> Markus> details in the credential cache, but all pointers to
> Markus> authorisation data (cred->authdata and
> Markus> decode(cred->ticket)->enc_part2->authorization_data) are
> Markus> 0.
>
> Authorization data is only available to the service. Authenticate
> against the local host as a service and then get access to the
> authorization data. Doing anything else would be vulnerable to a
> spoofed KDC anyway.
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
More information about the Kerberos
mailing list