Menu

#11 Microsoft PAC kerberos ticket parsing

functionality
open
nobody
mod_auth_kerb (18)
5
2008-05-05
2008-05-05
Anonymous
No

Hi all,
it would be very useful if would be implemented a functionality that parse pac section that is added to kerberos service tickets by Active Directory KDC so would be possible to use an AD domain controller like kerberos authorization system (for example specifying "require group groupname" in auth_kerb.conf) and not only for authentication.

http://searchwindowssecurity.techtarget.com/news/article/0,289142,sid45_gci1014058,00.html

Sorry for my bad english :)!

massimiliano.laporta@gmail.com

Discussion

  • Matej Pristak

    Matej Pristak - 2008-12-02

    I don't think we should mix authentication and authorization in 1 module. The ticket can be passed to another module used for authorization and granting privileges, but not to be parsed in one line with authentication.

     

  • Andrew Smith

    Andrew Smith - 2009-08-20

    Actually the ticket request needs to have 'request-pac' passed as part of the API to even receive the PAC structure. Currently it doesn't so it would be impossible to implement the authorization independently of this. We would at least need some flag to be able to retrieve the PAC.

     

Log in to post a comment.

Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.