Windows 2000 KDC interoperability abm at
Wed Dec 11 09:30:00 EST 2002

lukeh at PADL.COM wrote:
> >I believe if you disable the use of preauthentication for your Win2K
> >user principals, the PAC data is not included in their tickets.
> Or your client can send a KERB-PA-PAC-REQUEST with include-pac set
> to FALSE.
> -- Luke
> --
> Luke Howard | PADL Software Pty Ltd |

Disabling the use of preauth is not a good idea since it comprimises security. The client must send the actual password to the KDC in order to gain a TGT.

Sending KERB-PA-PAC-REQUEST is the better solution, I mentioned this at the start of this thread, but as Sam said, it is unlikely it will be implemented.

I am presently looking at a way to enchance the ms2mit app to get rid of pac data from the start.

More information about the krbdev mailing list