Windows 2000 KDC interoperability
wyllys.ingersoll at sun.com
Fri Dec 13 23:31:01 EST 2002
abm at firefly-cons.demon.co.uk wrote:
> lukeh at PADL.COM wrote:
>>>I believe if you disable the use of preauthentication for your Win2K
>>>user principals, the PAC data is not included in their tickets.
>>Or your client can send a KERB-PA-PAC-REQUEST with include-pac set
>>Luke Howard | PADL Software Pty Ltd | www.padl.com
> Disabling the use of preauth is not a good idea since it comprimises security.
I agree, this is not the best solution. I just offered it as a possibility.
>The client must send the actual password to the KDC in order to gain a TGT.
This is not true. The client never sends the password over the wire to gain a TGT.
The KDC will issue a TGT to anyone who asks, it is only useful to the person
who receives it if they know the password and can decrypt it after it has been received.
> Sending KERB-PA-PAC-REQUEST is the better solution, I mentioned this at the start of this thread, but as Sam said, it is unlikely it will be implemented.
Yes agreed, this is the better solution.
> I am presently looking at a way to enchance the ms2mit app to get rid of pac data from the start.
More information about the krbdev