PAC missing from service tickets why?
Douglas E. Engert
deengert at anl.gov
Thu Apr 24 09:54:19 EDT 2008
Michael B Allen wrote:
> Hi All,
>
> Sorry for the MS specific question.
>
> Regarding the Privilege Attribute Certificate in the
> authorization-data field, someone using my SPNEGO HTTP server product
> is getting an error that indicates no PAC is present in the service
> ticket supplied by the client. The server is Windows 2003 Server and
> the client is Vista SP1. If they try a non-Vista client, SSO works
> fine.
>
> Does anyone know of a reason why the PAC would be left out of the
> service ticket?
>
Yes. If the userAccountControl flag NO_AUTH_REQUIRED is set on the service
account, the PAC will not be added to the service tickets for that service.
See http://support.microsoft.com/kb/832572
This was added to keep the size of a ticket down for services that did not
use the PAC, and had trouble with large tickets. (With out the PAC tickets
are about 240 bytes. With the large PAC, then can be as large as 12K.
> Is there some new security policy that I don't know about?
>
> Any help would be appreciated,
>
> Mike
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list