Kerberos Feature Request

Sam Hartman hartmans at MIT.EDU
Wed Feb 11 13:39:27 EST 2004

>>>>> "Frank" == Frank Balluffi <frank.balluffi at> writes:

    Frank>    Daniel, Regarding passing authorization data in an
    Frank> AS-REQ, the Microsoft KDC allows a client to specify
    Frank> whether to put PAC data in a ticket or not (see
    Frank> b/html/MSDN_PAC.asp). I am not convinced it is a good idea
    Frank> for a client to specify its authorization data. Might such
    Frank> a mechanism allow a user to increase its privileges?  Frank

Folks, this discussion has drifted far enough away from reality that
it is no longer appropriate for krbdev.  Even if it drifts back to
reality it's all been fairly well hashed out before.

1) You cannot add authorization data in an AS request, only a TGS

2) There are mechanisms to deal with avoiding increasing privileges.
   Please read Kerberos clarifications.  Particularly look at the KDC-ISSUED authorization data.

If someone wants to propose a plugin API or more interestingly to
implement it, discussing that here on krbdev would be fine.

More information about the krbdev mailing list