Windows 2000 KDC interoperability

Sam Hartman hartmans at MIT.EDU
Sat Dec 14 14:46:00 EST 2002

>>>>> "Wyllys" == Wyllys Ingersoll <wyllys.ingersoll at> writes:

    >> Sending KERB-PA-PAC-REQUEST is the better solution, I mentioned
    >> this at the start of this thread, but as Sam said, it is
    >> unlikely it will be implemented.
    Wyllys> Yes agreed, this is the better solution.

The reason I don't think it should be implemented is that I think that
there probably aren't that many applications that deal poorly with
large tickets and we should go fix those applications.

If it turns out I'm wrong we can look again at the problem.

    >> I am presently looking at a way to enchance the ms2mit app to
    >> get rid of pac data from the start.

Since the PAC is in the encrypted part of the ticket, you would need
to break the Kerberos protocol (as in find a security problem) to do

More information about the krbdev mailing list