[krbdev.mit.edu #8503] Acces to AS REP keys to decrypt MS-PAC's PAC_CREDENTIAL_DATA
Simo Sorce via RT
rt-comment at krbdev.mit.edu
Thu Sep 29 16:06:27 EDT 2016
As specified in [MS-PAC] 2.6.2 [1] the PAC_CREDENTIAL_DATA structure is
encrypted with the " cryptographic system selected through the AS
protocol and the KRB_AS_REP message (as specified in [RFC4120] section
3.1.3 and [RFC4556]".
When a client receive the AS_REP though, the MS-PAC is not immediately
available, and will be available only after a subsequent validation
step's TGS reply.
In order to be able to decrypt this PAC buffer the key used to decode
the AS reply needs to be made available to the client on request.
Simo.
[1] https://msdn.microsoft.com/en-us/library/cc237952.aspx
--
Simo Sorce * Red Hat, Inc * New York
More information about the krb5-bugs
mailing list