Windows 2000 KDC interoperability

Wyllys Ingersoll wyllys.ingersoll at
Fri Dec 13 23:31:01 EST 2002

abm at wrote:
> lukeh at PADL.COM wrote:
>>>I believe if you disable the use of preauthentication for your Win2K
>>>user principals, the PAC data is not included in their tickets.
>>Or your client can send a KERB-PA-PAC-REQUEST with include-pac set
>>to FALSE.
>>-- Luke
>>Luke Howard | PADL Software Pty Ltd |
> Disabling the use of preauth is not a good idea since it comprimises security. 

I agree, this is not the best solution.  I just offered it as a possibility.

 >The client must send the actual password to the KDC in order to gain a TGT.

This is not true.  The client never sends the password over the wire to gain a TGT.
The KDC will issue a TGT to anyone who asks, it is only useful to the person
who receives it if they know the password and can decrypt it after it has been received.

> Sending KERB-PA-PAC-REQUEST is the better solution, I mentioned this at the start of this thread, but as Sam said, it is unlikely it will be implemented.
Yes agreed, this is the better solution.

> I am presently looking at a way to enchance the ms2mit app to get rid of pac data from the start.


More information about the krbdev mailing list