1

I am developping one server service using the Kerberos and got the ticket from client, I can deciphered the ticket with the predefined keytab, now my question is how to use the PAC information in the ticket. Previously I use the LDAP procedure to query the user's group membership to get the authorization information.

Now the PAC's logon information include the membership, but it is group ID, but I need "DN" text based format (CN=xxx,OU=xxx, DC=xxx...).

I would like to know in general, how to use this authorization data in the ticket in the service server. Thanks!

orasy
  • 25
  • 4
  • I am assuming you are using Active Directory for Kerberos here. If so, please also the following tags to this question: active-directory, spnego, ldap – T-Heron Feb 14 '17 at 22:30
  • updated.Yes, I am using the active directory. Now mapping group name to SID can be resolved by LDAP query. I am using the GSSAPI to implement the Kerberos. Now I need extract the PAC information. – orasy Feb 15 '17 at 04:05

1 Answers1

3

If your application service is not running on Windows, you will not be able to read the PAC without jumping through some serious hoops. The PAC is built using Microsoft proprietary code, which is something Microsoft introduced into their flavor of Kerberos IAW RFC 1510 but their words, "slightly modified". Shortly after the release of Windows 2000 [Active Directory], Microsoft received some negative press attention because of the proprietary way they used the PAC field in a Kerberos ticket. [Microsoft] explicitly forbids the creation of software that implements the PAC as described in the specifications.

I spent a long time trying to find something open source and reliable which could read the PAC anyway, and I found that JAASLounge does this. It's an old article though (from 2010). Be aware that, it appears, based on my interpretation based on Microsoft's statement, to be a violation of their terms and conditions.

Anyway, I've also bookmarked two threads from right here in this forum by people who claim to have gotten JAASLounge this working, and some of the troubles they had to work through.

Decrypt kerberos ticket using Spnego

Malformed PAC logon info on new KerberosToken

In case you don't want to go down this route, and want to bypass the PAC to determine the AD user's group memberships, then you will have to resort to making an LDAP call back to the AD domain controller.

I'll close by saying that if you're running on a Windows-based application server such as IIS or SharePoint, Kerberos decoding of the PAC takes place automatically, so no special code, configuration, or keytab file is ever required.

Community
  • 1
  • 1
T-Heron
  • 5,385
  • 7
  • 26
  • 52
  • T-Heron, thanks for your reply. In the MIT Kerberos document, I did find the API to get PAC information. I will update I successfully make it with C language. – orasy Feb 15 '17 at 04:01
  • 1
    Using the gssapi can retrieve the pac data and decode the logon information buffer to get the authorization data (group membership). – orasy Feb 16 '17 at 21:12
  • @Orasy. Thanks for your comment. I've bookmarked this response. – T-Heron Feb 16 '17 at 21:14
  • 1
    @orasy - is there any way you could do me a really really big favor and please provide the URL hyperlink to the MIT Kerberos document you used to find the API to get PAC information? :-) – T-Heron May 16 '17 at 21:54