>Can you provide any references or documentation on this? I have looked >through all of the Microsoft documents I can get a hold of, and can find >no information on this.
A brief overview is given at: http://www.usenix.org/publications/login/1998-5/brundrett.html The PAC verification RPC will be made by the LSA when a client provides a PAC in the AP_REQ, the server is not running as the Local System Account, and the server calls ImpersonateSecurityContext(). One can modify the MSDN sample SSPI server fairly easily to trigger this. The RPC is to avoid the privilege esclation that would arise from a server running with less privilege forging a ticket to itself with privileged authorization data and asking the LSA to impersonate. -- Luke -- Luke Howard | PADL Software Pty Ltd | www.padl.com ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
