Question about excluding the PAC

Schwartz, John John.Schwartz at anthem.com
Sat Feb 2 14:51:29 EST 2019 

Hi guys, I had the recommend flag set on the service account and it does not appear to have the desired effect. Would you know if any services need to be restarted or cache cleared?



It is still passing the authorization data for my account.



[cid:image001.png at 01D4BAED.A0583DA0]



Anthem, Inc.

John Schwartz,  Exec Advisor, Authentication Services

21555 Oxnard St., Woodland Hills, California 91367

O: (818) 234-6763 |

john.schwartz at anthem.com



-----Original Message-----
From: Mark Pröhl [mailto:mark at mproehl.net]
Sent: Wednesday, January 30, 2019 4:22 AM
To: Simo Sorce <simo at redhat.com>; Schwartz, John <John.Schwartz at anthem.com>; krbdev at mit.edu
Subject: Re: Question about excluding the PAC



Some more tips/links:



(1) You should check that no others kerberized services that require

    service tickets with a PAC are associated with the same AD account

    as your web service. It is best practice to use a dedicated AD

    service account only for the HTTP principal.



(2) Technically you need to modify the attribute userAccounControl of

    the AD account that is associated with the HTTP principal. This

    attribute is a bit-mask and you need to add the value 0x02000000

    (ADS_UF_NO_AUTH_DATA_REQUIRED). See also:

    https://urldefense.proofpoint.com/v2/url?u=https-3A__msdn.microsoft.com_en-2Dus_library_cc223145.aspx&d=DwIDaQ&c=A-GX6P9ovB1qTBp7iQve2Q&r=9ggArrKwg0XCMk2h_JcalRiGjZ1d7o1PDuo5y6VpEPI&m=52UngoH6izxN_k8vacztJN8M-wKd6WTUfFDqsZlB01E&s=LrwfQR_dBBHJn0s3RDfGMWW58eADP-rBNVfMbQY-9as&e=.



(3) IMO the easiest way to disable PAC is provided by msktutil

    (https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_msktutil_msktutil&d=DwIDaQ&c=A-GX6P9ovB1qTBp7iQve2Q&r=9ggArrKwg0XCMk2h_JcalRiGjZ1d7o1PDuo5y6VpEPI&m=52UngoH6izxN_k8vacztJN8M-wKd6WTUfFDqsZlB01E&s=1BTHnzAv_4x44gZ12vV6jJu8-Q_oKrnXDkF6gfhW5Jc&e=).

    Man msktutil and search for --no-pac



(4) Users need to obtain new Kerberos tickets after this modification



- Mark





On 1/30/19 12:00 PM, Simo Sorce wrote:

> The best and only way forward for you is to ask your AD admins to

> disable PAC for your HTTP server. Then *all* clients will get tickets

> w/o the PAC. You cannot do anything on the HTTP server, it is too

> late, big tickets with PACs have already been sent to you.

>

> Regards,

> Simo.

>

> On Tue, 2019-01-29 at 21:05 +0000, Schwartz, John wrote:

>> The KDC is Active Directory. The problem I need to do for all logged in users and the main reason is that we do not need authorization data and we had to increase the http header size to the max to allow what we have. I fear that once a few users get added to a few more groups, it can push us over the limit.

>>

>> The other way to fix it is if there was good group management but with around 70K users, that would be nearly impossible to remediate.

>>

>> No one needs to be a part of a couple of hundred or more groups.

>>

>> Kerberos provides documentation to code API's and reference them from the krb5.conf but (at least for me) it is not clear enough of how to integrate.

>>

>> They provider the variable that needs to be modified but do not say which header file it belongs to etc...

>>

>> Thanks,

>>

>> Anthem, Inc.

>>

>> John Schwartz,  Exec Advisor, Authentication Services

>> 21555 Oxnard St., Woodland Hills, California 91367

>> O: (818) 234-6763 |

>> john.schwartz at anthem.com<mailto:john.schwartz at anthem.com>

>>

>>

>> -----Original Message-----

>> From: Mark Pröhl [mailto:mark at mproehl.net]

>> Sent: Tuesday, January 29, 2019 12:59 PM

>> To: Schwartz, John <John.Schwartz at anthem.com<mailto:John.Schwartz at anthem.com>>; krbdev at mit.edu<mailto:krbdev at mit.edu>

>> Subject: Re: Question about excluding the PAC

>>

>> Hi,

>>

>> I wonder what kind of Kerberos infrastructure is providing the PAC. In case of Active Directory you typically can get rid of the pac by modifying the service account that is associated with the HTTP principal. This only affects tickets for that particular service.

>> Maybe your implementation on Linux offers a similar way?

>>

>> Regards,

>>

>> Mark Pröhl

>>

>> On 1/25/19 10:56 PM, Schwartz, John wrote:

>>> All, I have a Kerberos 5 implementation running on Linux and is integrated with the web server for website SSO access.

>>>

>>> I have a need to exclude the PAC from the request ticket and am looking for the simplest way to do that.

>>>

>>> I see that kinit has the option "--no-request-pac"

>>>

>>> Is there a similar way to do it from the krb5.conf or does it need a custom shared object?

>>>

>>> If it needs a custom shared object, can someone provide sample code?  I am not able to tell from the existing documentation what needs to be done.

>>>

>>> Any assistance is greatly appreciated.

>>>

>>> Thank you,

>>>

>>> Anthem, Inc.

>>>

>>>

>>>

>>> John Schwartz,  Exec Advisor, Authentication Services

>>> 21555 Oxnard St., Woodland Hills, California 91367

>>> O: (818) 234-6763 |

>>> john.schwartz at anthem.com<mailto:john.schwartz at anthem.com>

>>>

>>>

>>>

>>>

>>> CONFIDENTIALITY NOTICE: This e-mail message, including any

>>> attachments, is for the sole use of the intended recipient(s) and

>>> may contain confidential and privileged information or may otherwise

>>> be protected by law. Any unauthorized review, use, disclosure or

>>> distribution is prohibited. If you are not the intended recipient,

>>> please contact the sender by reply e-mail and destroy all copies of the original message and any attachment thereto.

>>> _______________________________________________

>>> krbdev mailing list             krbdev at mit.edu<mailto:krbdev at mit.edu>

>>> https://urldefense.proofpoint.com/v2/url?u=https-3A__mailman.mit.edu

>>> _m

>>> ailman_listinfo_krbdev&d=DwIDaQ&c=A-GX6P9ovB1qTBp7iQve2Q&r=9ggArrKwg

>>> 0X

>>> CMk2h_JcalRiGjZ1d7o1PDuo5y6VpEPI&m=K_UDGkrlsPQtjd0oYY8PAEUh77APD4rEp

>>> OY P1TpkFes&s=IyZVpEh_-xwcbZm0p43PEt0m8YMgMKP3w18TyY_3shM&e=

>>>

>>

>> CONFIDENTIALITY NOTICE: This e-mail message, including any

>> attachments, is for the sole use of the intended recipient(s) and may

>> contain confidential and privileged information or may otherwise be

>> protected by law. Any unauthorized review, use, disclosure or

>> distribution is prohibited. If you are not the intended recipient,

>> please contact the sender by reply e-mail and destroy all copies of the original message and any attachment thereto.

>>

>> _______________________________________________

>> krbdev mailing list             krbdev at mit.edu<mailto:krbdev at mit.edu>

>> https://urldefense.proofpoint.com/v2/url?u=https-3A__mailman.mit.edu_

>> mailman_listinfo_krbdev&d=DwIDaQ&c=A-GX6P9ovB1qTBp7iQve2Q&r=9ggArrKwg

>> 0XCMk2h_JcalRiGjZ1d7o1PDuo5y6VpEPI&m=52UngoH6izxN_k8vacztJN8M-wKd6WTU

>> fFDqsZlB01E&s=mr341WiEfuqUhilglICkxLItjrwWOJAPVXIybydI5nQ&e=

>



CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information or may otherwise be protected by law. Any
unauthorized review, use, disclosure or distribution is prohibited. If you
are not the intended recipient, please contact the sender by reply e-mail
and destroy all copies of the original message and any attachment thereto.

More information about the krbdev mailing list