AD integration (ticket size) question
Jerry Shipman
jes59 at cornell.edu
Tue Nov 15 14:04:09 EST 2016
Hello,
This is probably not a great question for this list -- I apologize. But, I figured you all would have a better idea than I do.
We have cross-realm authentication with an Active Directory installation. We run into occasional issues with the AD kerberos tickets being too large to fit into applications buffers, etc -- I guess because of all the group information in the PAC (i.e. users who are in a lot of AD groups have larger tickets).
On my side of the integration, we're never using that PAC information anyway. Is there a way that I can get rid of that information, either on the KDC side or on the client side?
I am thinking things like:
1. maybe there is a way in the kerberos client code to make the request to AD, to ask it not to put that stuff in there, and give a smaller ticket?
2. or maybe there is a configuration option on the MIT KDC, that will strip that information out while it's building the tickets for the MIT realm? (I'm not sure if this is technically possible.)
3. or maybe there is a configuration option on AD to tell it to filter out that information when it is issuing cross-realm tickets just to that one (MIT) realm?
Or something I didn't think of.
I don't know if I would be able to implement any of those, even if they are possible...but, I am curious about whether there are any options.
Thanks a lot,
Jerry Shipman
More information about the Kerberos
mailing list