Microsoft PAC field
Sam Hartman
hartmans at MIT.EDU
Thu Jul 15 18:43:41 EDT 2004
>>>>> "Markus" == Markus Moeller <huaraz at moeller.plus.com> writes:
Markus> Sam the document
Markus> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnkerb/html/MSDN_PAC.asp
Markus> says:
Markus> The PAC is generated by the KDC under the following
Markus> conditions:
Markus> a.. During an AS request that has been validated with
Markus> pre-authentication. b.. During a TGS request when the
Markus> client has no PAC and the target is a service in the
Markus> domain or a ticket granting service (referral ticket).
Markus> which I interpret that the authorisation data are send as
Markus> part of an AS-REP or TGS-REP and if it is an AS-REP stored
Markus> in the credential cache. I can see that the size of my
Markus> credential cache is much bigger after a kinit with PAC
Markus> enabled compared to PAC disabled and it increases if I am
Markus> a member of more groups. So I would expect to read the
Markus> authorisation data from the cache
Sure, but to actually use the authorization data you need to decrypt
it. Which would be easy if you had the krbtgt key in which it is
encrypted.
Markus> and since the
Markus> authorisation data is signed there shouldn't be any threat
Markus> from a spoofed kdc, when this data is forwarded to a
Markus> server.
But a client that tried to read the data without getting a service
ticket for itself could be fooled by a spoofed KDC.
Only after calling krb5_rd_req will you be able to read the
authorization data.
More information about the Kerberos
mailing list