PAC missing from service tickets why?

Douglas E. Engert deengert at
Thu Apr 24 16:27:48 EDT 2008

Michael B Allen wrote:
> On 4/24/08, Douglas E. Engert <deengert at> wrote:
>>  Michael B Allen wrote:
>>> Hi All,
>>> Sorry for the MS specific question.
>>> Regarding the Privilege Attribute Certificate in the
>>> authorization-data field, someone using my SPNEGO HTTP server product
>>> is getting an error that indicates no PAC is present in the service
>>> ticket supplied by the client. The server is Windows 2003 Server and
>>> the client is Vista SP1. If they try a non-Vista client, SSO works
>>> fine.
>>> Does anyone know of a reason why the PAC would be left out of the
>>> service ticket?
>>  Yes. If the userAccountControl flag NO_AUTH_REQUIRED is set on the service
>>  account, the PAC will not be added to the service tickets for that service.
>>  See
>>  This was added to keep the size of a ticket down for services that did not
>>  use the PAC, and had trouble with large tickets. (With out the PAC tickets
>>  are about 240 bytes. With the large PAC, then can be as large as 12K.
> Hi Douglas,
> Well I thought for sure that would be the problem. But the user claims
> the userAccountControl value is 590336 which does not include
> NO_AUTH_DATA_REQUIRED (0x2000000).
> What happens if the token is larger than 12K?

Change the registry ;-)

> Anyone else have any ideas?

Run Wireshark, on the client to see the TGS-REQ and response.
It might give you some clues, like there is a PAC in the TGT,
but not in the service ticket. Or there is a PAC in the service ticket,
but for some reason it has a problem.

> Right now I'm modifying my code to get authorization data from LDAP if
> the PAC isn't present but obviously that's not an ideal solution as it
> will significantly slow things down.
> Mike


  Douglas E. Engert  <DEEngert at>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list