Kerberos Feature Request

Frank Balluffi frank.balluffi at
Wed Feb 11 13:02:50 EST 2004


Regarding passing authorization data in an AS-REQ, the Microsoft KDC 
allows a client to specify whether to put PAC data in a ticket or not (see 
I am not convinced it is a good idea for a client to specify its 
authorization data. Might such a mechanism allow a user to increase its 


Daniel Kouril <kouril at>
Sent by: krbdev-bounces at
02/11/2004 11:38 AM

        To:     "Henry B. Hotz" <hotz at>
        cc:     krbdev at, Sam Hartman <hartmans at>, Byrne 
<Dj.Byrne at>
        Subject:        Re: Kerberos Feature Request

Henry B. Hotz wrote:
> I'm not sure if we're on the same wavelength or not.  Let me try again:
> I think there should be a standard way to fill in PAC data from outside 
> the KDC.

I'm not sure if I'm not missing something but could you tell me why KDC 
should do that? If I'm not mistaken, the user can put into the AS-REQ 
message any authorization data she wants and the KDC just copy them to 
the ticket, am I right? If so, then the client can propagate to the 
ticket all authorization data she needs without any intervention of KDC. 
I think this is very useful solution in a world of multiple 
authorization mechanisms, which can use very different formats of 
representations of the authorization attributes. It also allows users to 
build authorization data according their current needs.



krbdev mailing list             krbdev at

More information about the krbdev mailing list