requesting MS-PAC in AS-REQ

Greg Hudson ghudson at MIT.EDU
Thu Aug 7 15:21:25 EDT 2014

On 08/06/2014 06:12 PM, Nate Rosenblum wrote:
> When requesting a TGT from a Microsoft KDC, I'd like to request a PAC by
> adding a KRB5_PADATA_PAC_REQUEST to the PADATA. I looked through the public
> headers and no method for doing this jumps out at me; is this something for
> which I'd need to add a client preauth module for?

I think you are right for now.  I will open a ticket that we should add
krb5_get_init_creds_opt_set_pac_request like Heimdal does.
Unfortunately there isn't time to get it into 1.13.

Under what circumstances does AD use this padata element?  I thought
that it normally included a PAC by default, unless the service principal
is configured not to require it.

More information about the krbdev mailing list