Can Internet Explorer generate a forwardable tgt without PAC data in it?
Douglas E. Engert
deengert at anl.gov
Wed Aug 14 17:21:53 EDT 2013
On 8/14/2013 8:56 AM, Srinivas Cheruku wrote:
> Hi All,
> When UserAccountControl flag TRUSTED_FOR_DELEGATION is set on the computer account of the service, then the Internet Explorer is able to sent the forwarable tgt to the service.
> When UserAccountControl flag NO_AUTH_DATA_REQUIRED is set on the computer account of the service, then the service ticket returned is without PAC data which is good.
> We have a constrain on the length of the Authorization Header that can be sent across and so when NO_AUTH_DATA_REQUIRED flag is set, the Authorization Header length was reduced.
> But, we want to reduce the length further and we were wondering whether it is possible to get the forwardable tgt without PAC data included in it.
> Any ideas on how can we achieve this.
Microsoft knows it a problem...
But this is more of a band-aid, just trying to keep the PAC smaller,
rather then having a way to get the PAC out of the ticket.
No mention of a TGT...
Rather then forwarding on a TGT, can you forward on selected
service tickets, that don't have a PAC?
> Srinivas Cheruku
> Development Manager
> [Telephone] +91 80 41462476
> [Web] http://CyberSafe.com [SAP Solutions] http://CyberSafe.com/SAP
> Copyright (c) 2002-2013 CyberSafe Limited. All Rights Reserved.
> Worldwide Headquarters: CyberSafe Limited. Abbey House, 450 Bath Road, Longford, Middlesex, UB7 0EB, United Kingdom.
> Registered in England and Wales. Company Number 03245350. VAT Registration Number GB 695 7551 78.
> [SAP TechEd 2013 Las Vegas]<http://sapteched.com/2013/usa/home.htm>
> [SAP TechEd 2013 Amsterdam]<http://www.sapteched.com/2013/emea/home.htm>
> [SAP TechEd 2013 Bangalore]<http://sapteched.com/2013/india/home.htm>
> Disclaimer: This email message and any attachments transmitted with it may contain legally privileged and confidential information and information protected by intellectual property rights, and is intended solely for use by the above named recipient(s). If you are not the recipient(s) named above, or an authorised agent acting on behalf of the recipient(s) named above, you are hereby notified that any reading, dissemination, distribution, copying, or other use of this message or its attachment(s) is strictly prohibited. If you have received this message in error, please notify the sender immediately by telephone or by email, and delete this message and all copies and backups thereof. No waiver of privilege or confidentiality should be inferred from an error in sending.
> This email message does not under any circumstances constitute a binding commitment by or on behalf of CyberSafe Limited, CyberSafe North America, or any affiliated companies, unless it contains an express statement to the contrary from an authorised representative and clearly identifies the entity for which the commitment is taken.
> krbdev mailing list krbdev at mit.edu
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
More information about the krbdev