[29757] in Kerberos
Re: PAC missing from service tickets why?
daemon@ATHENA.MIT.EDU (Douglas E. Engert)
Thu Apr 24 16:30:04 2008
Message-ID: <4810ED44.6000006@anl.gov>
Date: Thu, 24 Apr 2008 15:27:48 -0500
From: "Douglas E. Engert" <deengert@anl.gov>
MIME-Version: 1.0
To: Michael B Allen <ioplex@gmail.com>
In-Reply-To: <78c6bd860804241211x62440b13t8d4d29df77d3a4fa@mail.gmail.com>
Cc: kerberos <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Michael B Allen wrote:
> On 4/24/08, Douglas E. Engert <deengert@anl.gov> wrote:
>> Michael B Allen wrote:
>>
>>> Hi All,
>>>
>>> Sorry for the MS specific question.
>>>
>>> Regarding the Privilege Attribute Certificate in the
>>> authorization-data field, someone using my SPNEGO HTTP server product
>>> is getting an error that indicates no PAC is present in the service
>>> ticket supplied by the client. The server is Windows 2003 Server and
>>> the client is Vista SP1. If they try a non-Vista client, SSO works
>>> fine.
>>>
>>> Does anyone know of a reason why the PAC would be left out of the
>>> service ticket?
>>>
>>>
>> Yes. If the userAccountControl flag NO_AUTH_REQUIRED is set on the service
>> account, the PAC will not be added to the service tickets for that service.
>> See http://support.microsoft.com/kb/832572
>>
>> This was added to keep the size of a ticket down for services that did not
>> use the PAC, and had trouble with large tickets. (With out the PAC tickets
>> are about 240 bytes. With the large PAC, then can be as large as 12K.
>
> Hi Douglas,
>
> Well I thought for sure that would be the problem. But the user claims
> the userAccountControl value is 590336 which does not include
> NO_AUTH_DATA_REQUIRED (0x2000000).
>
> What happens if the token is larger than 12K?
Change the registry ;-)
http://support.microsoft.com/kb/327825
>
> Anyone else have any ideas?
Run Wireshark, on the client to see the TGS-REQ and response.
It might give you some clues, like there is a PAC in the TGT,
but not in the service ticket. Or there is a PAC in the service ticket,
but for some reason it has a problem.
>
> Right now I'm modifying my code to get authorization data from LDAP if
> the PAC isn't present but obviously that's not an ideal solution as it
> will significantly slow things down.
>
> Mike
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
