requesting MS-PAC in AS-REQ
Nate Rosenblum
nater at maginatics.com
Thu Aug 7 15:37:44 EDT 2014
>
> I think you are right for now. I will open a ticket that we should add
> krb5_get_init_creds_opt_set_pac_request like Heimdal does.
> Unfortunately there isn't time to get it into 1.13.
>
> Under what circumstances does AD use this padata element? I thought
> that it normally included a PAC by default, unless the service principal
> is configured not to require it.
>
I believe that Windows servers will only return a PAC in the AS-REP and
TGS-REP messages if requested; that's my reading of MS-KILE, Sec. 3.3.5.3 (
http://msdn.microsoft.com/en-us/library/cc233897.aspx). I could be wrong;
let me double-check.
--nate
More information about the krbdev
mailing list