requesting MS-PAC in AS-REQ

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

requesting MS-PAC in AS-REQ

Nate Rosenblum
When requesting a TGT from a Microsoft KDC, I'd like to request a PAC by
adding a KRB5_PADATA_PAC_REQUEST to the PADATA. I looked through the public
headers and no method for doing this jumps out at me; is this something for
which I'd need to add a client preauth module for?

Thanks,

--nate
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: requesting MS-PAC in AS-REQ

Greg Hudson
On 08/06/2014 06:12 PM, Nate Rosenblum wrote:
> When requesting a TGT from a Microsoft KDC, I'd like to request a PAC by
> adding a KRB5_PADATA_PAC_REQUEST to the PADATA. I looked through the public
> headers and no method for doing this jumps out at me; is this something for
> which I'd need to add a client preauth module for?

I think you are right for now.  I will open a ticket that we should add
krb5_get_init_creds_opt_set_pac_request like Heimdal does.
Unfortunately there isn't time to get it into 1.13.

Under what circumstances does AD use this padata element?  I thought
that it normally included a PAC by default, unless the service principal
is configured not to require it.
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: requesting MS-PAC in AS-REQ

Nate Rosenblum
>
> I think you are right for now.  I will open a ticket that we should add
> krb5_get_init_creds_opt_set_pac_request like Heimdal does.
> Unfortunately there isn't time to get it into 1.13.
>
> Under what circumstances does AD use this padata element?  I thought
> that it normally included a PAC by default, unless the service principal
> is configured not to require it.
>

I believe that Windows servers will only return a PAC in the AS-REP and
TGS-REP messages if requested; that's my reading of MS-KILE, Sec. 3.3.5.3 (
http://msdn.microsoft.com/en-us/library/cc233897.aspx). I could be wrong;
let me double-check.

--nate
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev