[jira] [Commented] (DIRKRB-79) Access the PAC-region of AS_REQ to get group membership information supplied by MS KDC
[ https://issues.apache.org/jira/browse/DIRKRB-79?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16125108#comment-16125108 ] Kai Zheng commented on DIRKRB-79: - [~bedrin] this sounds an excellent work. Assigned this to you and look forward to your PR. > Access the PAC-region of AS_REQ to get group membership information supplied > by MS KDC > -- > > Key: DIRKRB-79 > URL: https://issues.apache.org/jira/browse/DIRKRB-79 > Project: Directory Kerberos > Issue Type: Wish >Reporter: Alex Karasulu >Assignee: Dmitry Bedrin >Priority: Minor > > The Microsoft KDC uses the PAC-region to supply authorization information > (namely group memberships) returned back to systems in the authentication > response of the Authentication Service. > It's foreseeable that the kerberos codec will eventually be used for the de > facto standard KRB5 client hosted here at Directory. This capability to > access the PAC's group membership information will allow KRB clients using > this library to manage authorization based on MS network groups. Here's a > paper talking about the PAC region: > http://msdn.microsoft.com/en-us/library/Aa302203 -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (DIRKRB-79) Access the PAC-region of AS_REQ to get group membership information supplied by MS KDC
[ https://issues.apache.org/jira/browse/DIRKRB-79?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16124683#comment-16124683 ] Dmitry Bedrin commented on DIRKRB-79: - Project JAASLounge supports parsing this data: https://github.com/pingidentity/jaaslounge-decoding/blob/master/src/main/java/org/jaaslounge/decoding/pac/PacLogonInfo.java The project (both original and this fork) seems abandoned though > Access the PAC-region of AS_REQ to get group membership information supplied > by MS KDC > -- > > Key: DIRKRB-79 > URL: https://issues.apache.org/jira/browse/DIRKRB-79 > Project: Directory Kerberos > Issue Type: Wish >Reporter: Alex Karasulu >Assignee: Emmanuel Lecharny >Priority: Minor > > The Microsoft KDC uses the PAC-region to supply authorization information > (namely group memberships) returned back to systems in the authentication > response of the Authentication Service. > It's foreseeable that the kerberos codec will eventually be used for the de > facto standard KRB5 client hosted here at Directory. This capability to > access the PAC's group membership information will allow KRB clients using > this library to manage authorization based on MS network groups. Here's a > paper talking about the PAC region: > http://msdn.microsoft.com/en-us/library/Aa302203 -- This message was sent by Atlassian JIRA (v6.4.14#64029)
