Windows Kerberos PAC patent

Michael B Allen mba2000 at
Sat Feb 12 03:59:33 EST 2005

On Thu, 10 Feb 2005 23:20:37 -0500, Fredrik Tolf wrote:

> I have to admit that I don't know a lot about Windows and Kerberos.
> However, as I've understood it, the only thing that really prevents you
> from using a MIT KDC for Windows clients is the authorization data they
> ship in the ticket, right? And this is called "PAC", right?

The necessary information about the PAC structure is freely available
on MS' website [1] (and contrary to popular belief the use of the
authorization-data field is as designed and not a case of "embrace
and extend").

The problem is what is *in* the PAC. It contains the principal's group
membership list which is required to create the "token" used by Windows
clients to make access control decisions.

Group information in a MS forest is stored in Active Directory, on each
domain controller, and depending on the group type, may be replicated
between AD and domain controllers (AD and MS Kerberos are very tightly
coupled). The groups for a particular authentication are expanded as
the client traverses the trust to the target [2].

So to use an alternate Kerberos implementation you would need to implement
a variety of MS specific communication [2] to properly and efficiently
produce the necessary group SIDs to construct the PAC. The closest thing
that comes to this is probably XAD [4] which is an amalgamation of Samba,
OpenLDAP, MIT Kerberos, and proprietary stuff but I have no idea how
well it works as I have never used it.


[3] I have recently writen an Open Source MIDL compatible IDL
    compiler that could be used to generate the necessary DCE RPC
    proxies for much of this communication. It can be located at

IRC - where men are men, women are men, and the boys are FBI agents.

More information about the Kerberos mailing list