PAC missing from service tickets why?

Douglas E. Engert deengert at anl.gov
Thu Apr 24 16:27:48 EDT 2008 


Michael B Allen wrote:
> On 4/24/08, Douglas E. Engert <deengert at anl.gov> wrote:
>>  Michael B Allen wrote:
>>
>>> Hi All,
>>>
>>> Sorry for the MS specific question.
>>>
>>> Regarding the Privilege Attribute Certificate in the
>>> authorization-data field, someone using my SPNEGO HTTP server product
>>> is getting an error that indicates no PAC is present in the service
>>> ticket supplied by the client. The server is Windows 2003 Server and
>>> the client is Vista SP1. If they try a non-Vista client, SSO works
>>> fine.
>>>
>>> Does anyone know of a reason why the PAC would be left out of the
>>> service ticket?
>>>
>>>
>>  Yes. If the userAccountControl flag NO_AUTH_REQUIRED is set on the service
>>  account, the PAC will not be added to the service tickets for that service.
>>  See http://support.microsoft.com/kb/832572
>>
>>  This was added to keep the size of a ticket down for services that did not
>>  use the PAC, and had trouble with large tickets. (With out the PAC tickets
>>  are about 240 bytes. With the large PAC, then can be as large as 12K.
> 
> Hi Douglas,
> 
> Well I thought for sure that would be the problem. But the user claims
> the userAccountControl value is 590336 which does not include
> NO_AUTH_DATA_REQUIRED (0x2000000).
> 
> What happens if the token is larger than 12K?

Change the registry ;-)

     http://support.microsoft.com/kb/327825

> 
> Anyone else have any ideas?

Run Wireshark, on the client to see the TGS-REQ and response.
It might give you some clues, like there is a PAC in the TGT,
but not in the service ticket. Or there is a PAC in the service ticket,
but for some reason it has a problem.

> 
> Right now I'm modifying my code to get authorization data from LDAP if
> the PAC isn't present but obviously that's not an ideal solution as it
> will significantly slow things down.
> 
> Mike
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list