Windows Kerberos PAC patent
Michael B Allen
mba2000 at ioplex.com
Sat Feb 12 03:59:33 EST 2005
On Thu, 10 Feb 2005 23:20:37 -0500, Fredrik Tolf wrote:
> I have to admit that I don't know a lot about Windows and Kerberos.
> However, as I've understood it, the only thing that really prevents you
> from using a MIT KDC for Windows clients is the authorization data they
> ship in the ticket, right? And this is called "PAC", right?
The necessary information about the PAC structure is freely available
on MS' website  (and contrary to popular belief the use of the
authorization-data field is as designed and not a case of "embrace
The problem is what is *in* the PAC. It contains the principal's group
membership list which is required to create the "token" used by Windows
clients to make access control decisions.
Group information in a MS forest is stored in Active Directory, on each
domain controller, and depending on the group type, may be replicated
between AD and domain controllers (AD and MS Kerberos are very tightly
coupled). The groups for a particular authentication are expanded as
the client traverses the trust to the target .
So to use an alternate Kerberos implementation you would need to implement
a variety of MS specific communication  to properly and efficiently
produce the necessary group SIDs to construct the PAC. The closest thing
that comes to this is probably XAD  which is an amalgamation of Samba,
OpenLDAP, MIT Kerberos, and proprietary stuff but I have no idea how
well it works as I have never used it.
 I have recently writen an Open Source MIDL compatible IDL
compiler that could be used to generate the necessary DCE RPC
proxies for much of this communication. It can be located at
IRC - where men are men, women are men, and the boys are FBI agents.
More information about the Kerberos