PAC missing from service tickets why?

Douglas E. Engert deengert at
Thu Apr 24 09:54:19 EDT 2008

Michael B Allen wrote:
> Hi All,
> Sorry for the MS specific question.
> Regarding the Privilege Attribute Certificate in the
> authorization-data field, someone using my SPNEGO HTTP server product
> is getting an error that indicates no PAC is present in the service
> ticket supplied by the client. The server is Windows 2003 Server and
> the client is Vista SP1. If they try a non-Vista client, SSO works
> fine.
> Does anyone know of a reason why the PAC would be left out of the
> service ticket?

Yes. If the userAccountControl flag NO_AUTH_REQUIRED is set on the service
account, the PAC will not be added to the service tickets for that service.

This was added to keep the size of a ticket down for services that did not
use the PAC, and had trouble with large tickets. (With out the PAC tickets
are about 240 bytes. With the large PAC, then can be as large as 12K.

> Is there some new security policy that I don't know about?

> Any help would be appreciated,
> Mike


  Douglas E. Engert  <DEEngert at>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list