Incorrect expiration time for tickets returned from Windows KDCs
lukeh at padl.com
Mon Aug 29 08:20:12 EDT 2005
>> This sounds like a case of a growing PAC, when the user becomes a
>> (directly or indirectly, as it is a flattened list) of another group.
>There used to be a boolean bit of preauth data you could include
>which meant "don't include the PAC in the ticket." Did it go away??
>I ran into it when users changing their non-windows Kerberos password
>from the Windows secure-channel box would generate an AS_REQ with
>that padata in it.
The flag works for the AS-REQ only, not the TGS-REQ. You have to use
the userAccountControl hotfix to avoid including the PAC in service
More information about the krbdev