Microsoft PAC field

Sam Hartman hartmans at MIT.EDU
Thu Jul 15 18:43:41 EDT 2004


>>>>> "Markus" == Markus Moeller <huaraz at moeller.plus.com> writes:

    Markus> Sam the document
    Markus> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnkerb/html/MSDN_PAC.asp
    Markus> says:

    Markus> The PAC is generated by the KDC under the following
    Markus> conditions:

    Markus>   a.. During an AS request that has been validated with
    Markus> pre-authentication.  b.. During a TGS request when the
    Markus> client has no PAC and the target is a service in the
    Markus> domain or a ticket granting service (referral ticket).
    Markus> which I interpret that the authorisation data are send as
    Markus> part of an AS-REP or TGS-REP and if it is an AS-REP stored
    Markus> in the credential cache. I can see that the size of my
    Markus> credential cache is much bigger after a kinit with PAC
    Markus> enabled compared to PAC disabled and it increases if I am
    Markus> a member of more groups. So I would expect to read the
    Markus> authorisation data from the cache 

Sure, but to actually use the authorization data you need to decrypt
it.  Which would be easy if you had the krbtgt key in which it is
encrypted.

    Markus> and since the
    Markus> authorisation data is signed there shouldn't be any threat
    Markus> from a spoofed kdc, when this data is forwarded to a
    Markus> server.

But a client that tried to read the data without getting a service
ticket for itself could be fooled by a spoofed KDC.

Only after calling krb5_rd_req will you be able to read the
authorization data.



More information about the Kerberos mailing list