Microsoft PAC in a Pickle

Posted 19 Dec 2002 at 21:21 UTC by lkcl Share This

Microsoft has patented the use of a PAC in Kerberos, which provides user profile information immediately following a login, whilst also claiming compatibility with Kerberos 5.

The PAC is a bundle of user profile components, indicating where a user may log in, when they are allowed to log in, what their home directory is, what groups they are in etc.

The concept of a PAC has been around for several years: the first introduction that I am aware of is by DEC, in DCE/RPC, whom Microsoft copied the idea off.

The Open Group's extensions to Kerberos to allow a PAC to be obtained are Kerberos-compatible: there is a special field in Kerberos, the application-specific field, that can be used for this purpose, after Kerberos authentication has been actioned. The PAC by the Open Group includes UUIDs representing groups that the user is in, but the concept is basically the same.

Microsoft's PAC is virtually identical to the PAC returned as part of Microsoft's NETLOGON protocol, which is part of the NT Domain Suite. The difference between the Windows 2000 (aka NT 5.0) PAC and the Windows NT (3.5, 3.51 and 4.0) PAC is an additional digital signature field of 40 bytes in length instead of 8, and also the whole PAC is digitally signed (16 bytes).

The difference is, to all intents and purposes, insignificant.

What Microsoft have done is to develop incompatible extensions to the Kerberos 5 protocol, and return the PAC as part of the authorisation process.

The advantage of this process is that the login time is quicker. The disadvantage is that it breaks Kerberos.

What a mess.

Not only is there prior art for doing authentication and returning user profile information in one round-trip, in Microsoft's own protocols which are, thanks to myself and Paul Ashton, public knowledge (documented and implemented), but also their patent makes it impossible for Kerberos 5 implementers to extend the Kerberos Specification to include the PAC, for fear of a patent lawsuit.

Money and stupidity wins out, once more.

Stupidity of users for backing Microsoft by paying for their products.

Stupidity of Open Source community for not backing people capable of taking on Microsoft.

Stupidity of Microsoft's competitors for not being technically and strategically as smart as Microsoft.

Stupidity of the United States Dept. of Justice for listening to the wrong people.


Does anyone know of any other authentication systems with similar features, such that it can be demonstrated that there is definitely prior art?

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!

Share this page