The PAC must be the first ad-element
iboukris at gmail.com
Fri Jan 31 20:05:47 EST 2020
On Fri, Jan 31, 2020 at 1:46 PM Isaac Boukris <iboukris at gmail.com> wrote:
> When I recently confirmed that windows hosts have no problem with
> other ad-elements along side the PAC, I was lazy to test change of
> order. Today I tested it and found that Windows servers are not happy
> when the PAC is not the first ad-if-relevant element.
Interestingly, in the trust case if the PAC is the first element the
trusted windows KDC would remove the other element and leave only the
PAC (if the other element was first, then it is not removed but it
breaks service access).
More information about the krbdev