You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@directory.apache.org by "Dmitry Bedrin (JIRA)" <ji...@apache.org> on 2017/08/12 19:08:00 UTC

[jira] [Commented] (DIRKRB-79) Access the PAC-region of AS_REQ to get group membership information supplied by MS KDC

    [ https://issues.apache.org/jira/browse/DIRKRB-79?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16124683#comment-16124683 ] 

Dmitry Bedrin commented on DIRKRB-79:
-------------------------------------

Project JAASLounge supports parsing this data:
https://github.com/pingidentity/jaaslounge-decoding/blob/master/src/main/java/org/jaaslounge/decoding/pac/PacLogonInfo.java

The project (both original and this fork) seems abandoned though

> Access the PAC-region of AS_REQ to get group membership information supplied by MS KDC
> --------------------------------------------------------------------------------------
>
>                 Key: DIRKRB-79
>                 URL: https://issues.apache.org/jira/browse/DIRKRB-79
>             Project: Directory Kerberos
>          Issue Type: Wish
>            Reporter: Alex Karasulu
>            Assignee: Emmanuel Lecharny
>            Priority: Minor
>
> The Microsoft KDC uses the PAC-region to supply authorization information (namely group memberships) returned back to systems in the authentication response of the Authentication Service. 
> It's foreseeable that the kerberos codec will eventually be used for the de facto standard KRB5 client hosted here at Directory. This capability to access the PAC's group membership information will allow KRB clients using this library to manage authorization based on MS network groups. Here's a paper talking about the PAC region: http://msdn.microsoft.com/en-us/library/Aa302203



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)