The PAC must be the first ad-element

Isaac Boukris iboukris at gmail.com
Mon Feb 3 05:16:01 EST 2020


On Mon, Feb 3, 2020 at 10:32 AM Isaac Boukris <iboukris at gmail.com> wrote:
>
> On Sat, Feb 1, 2020 at 2:05 AM Isaac Boukris <iboukris at gmail.com> wrote:
> >
> > Interestingly, in the trust case if the PAC is the first element the
> > trusted windows KDC would remove the other element and leave only the
> > PAC (if the other element was first, then it is not removed but it
> > breaks service access).
>
> This makes me think we may need a way to suppress some ad-types from
> the request, which I think is not possible with the current API.  If

Actually in that trust case it's the tgt authdata that got suppressed
not request, but the idea is the same.


More information about the krbdev mailing list