Microsoft PAC field

Markus Moeller huaraz at moeller.plus.com
Thu Jul 15 17:56:49 EDT 2004


Sam

the document
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnkerb/html/MSDN_PAC.asp
says:

The PAC is generated by the KDC under the following conditions:

  a.. During an AS request that has been validated with pre-authentication.
  b.. During a TGS request when the client has no PAC and the target is a
service in the domain or a ticket granting service (referral ticket).
which I interpret that the authorisation data are send as part of an AS-REP
or TGS-REP and if it is an AS-REP stored in the credential cache. I can see
that the size of my credential cache is much bigger after a kinit with PAC
enabled compared to PAC disabled and it increases if I am a member of more
groups. So I would expect to read the authorisation data from the cache and
since the authorisation data is signed there shouldn't be any threat from a
spoofed kdc, when this data is forwarded to a server.

Thanks
Markus


"Sam Hartman" <hartmans at MIT.EDU> wrote in message
news:tslr7rdp024.fsf at cz.mit.edu...
> >>>>> "Markus" == Markus Moeller <huaraz at moeller.plus.com> writes:
>
>     Markus> Has anybody tried to use the PAC field with MIT Kerberos ?
>     Markus> I tried after a kinit against a w2k kdc to look at the
>     Markus> details in the credential cache, but all pointers to
>     Markus> authorisation data (cred->authdata and
>     Markus> decode(cred->ticket)->enc_part2->authorization_data) are
>     Markus> 0.
>
> Authorization data is only available to the service.  Authenticate
> against the local host as a service and then get access to the
> authorization data.  Doing anything else would be vulnerable to a
> spoofed KDC anyway.
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>




More information about the Kerberos mailing list