Windows 2000 KDC interoperability
abm at firefly-cons.demon.co.uk
Wed Dec 11 09:30:00 EST 2002
lukeh at PADL.COM wrote:
> >I believe if you disable the use of preauthentication for your Win2K
> >user principals, the PAC data is not included in their tickets.
> Or your client can send a KERB-PA-PAC-REQUEST with include-pac set
> to FALSE.
> -- Luke
> Luke Howard | PADL Software Pty Ltd | www.padl.com
Disabling the use of preauth is not a good idea since it comprimises security. The client must send the actual password to the KDC in order to gain a TGT.
Sending KERB-PA-PAC-REQUEST is the better solution, I mentioned this at the start of this thread, but as Sam said, it is unlikely it will be implemented.
I am presently looking at a way to enchance the ms2mit app to get rid of pac data from the start.
More information about the krbdev