PAC missing from service tickets why?
Michael B Allen
ioplex at gmail.com
Thu Apr 24 15:11:04 EDT 2008
On 4/24/08, Douglas E. Engert <deengert at anl.gov> wrote:
>
> Michael B Allen wrote:
>
> > Hi All,
> >
> > Sorry for the MS specific question.
> >
> > Regarding the Privilege Attribute Certificate in the
> > authorization-data field, someone using my SPNEGO HTTP server product
> > is getting an error that indicates no PAC is present in the service
> > ticket supplied by the client. The server is Windows 2003 Server and
> > the client is Vista SP1. If they try a non-Vista client, SSO works
> > fine.
> >
> > Does anyone know of a reason why the PAC would be left out of the
> > service ticket?
> >
> >
>
> Yes. If the userAccountControl flag NO_AUTH_REQUIRED is set on the service
> account, the PAC will not be added to the service tickets for that service.
> See http://support.microsoft.com/kb/832572
>
> This was added to keep the size of a ticket down for services that did not
> use the PAC, and had trouble with large tickets. (With out the PAC tickets
> are about 240 bytes. With the large PAC, then can be as large as 12K.
Hi Douglas,
Well I thought for sure that would be the problem. But the user claims
the userAccountControl value is 590336 which does not include
NO_AUTH_DATA_REQUIRED (0x2000000).
What happens if the token is larger than 12K?
Anyone else have any ideas?
Right now I'm modifying my code to get authorization data from LDAP if
the PAC isn't present but obviously that's not an ideal solution as it
will significantly slow things down.
Mike
--
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/
More information about the Kerberos
mailing list