http://blogs.msdn.com/spatdsg/archive/2007/03/07/pac-validation.aspxKerberos is well… Kerberos. And NTLM is NTLM right? Right. Most of the time. This post is from a recent hotfix I worked on where it was made painfully clear that this isn’t always true. Here is a cool overview stolen from msdn And the following tableen-USCommunityServer 2.1 SP1 (Build: 61025.2)http://blogs.msdn.com/spatdsg/archive/2007/03/07/pac-validation.aspx#1846758Fri, 09 Mar 2007 22:00:58 GMT91d46819-8472-40ad-a661-2c78acb4018c:1846758KaPes<p>Hi,</p> <p>We also had encountered the same problem on one of the machine, and searching for those events on eventid.net, we tried some solution listed there. One of them was to set MTU of the network right. After setting the MTU it solved the problem.</p> http://blogs.msdn.com/spatdsg/archive/2007/03/07/pac-validation.aspx#1847957Sat, 10 Mar 2007 01:05:18 GMT91d46819-8472-40ad-a661-2c78acb4018c:1847957SpatDSG<p>Ah good information. Thanks!</p> http://blogs.msdn.com/spatdsg/archive/2007/03/07/pac-validation.aspx#3838589Fri, 13 Jul 2007 03:12:53 GMT91d46819-8472-40ad-a661-2c78acb4018c:3838589BJSmithCO<p>What is the response of the system if the PAC information is not provided in the ticket (NO_AUTH_DATA_REQUIRED)? Does this basically cripple a Win2003 server? Can users still authenticate and gain authorizations to access network resources, or do they just have a ticket to nowhere? I'm looking at removing the PAC as a means to enable Solaris 8 users to authenticate directly against AD2003 (where Solaris Kerberos only talks UDP), but I'm concerned about the effect on my Windows users.</p> http://blogs.msdn.com/spatdsg/archive/2007/03/07/pac-validation.aspx#7448676Tue, 05 Feb 2008 01:24:46 GMT91d46819-8472-40ad-a661-2c78acb4018c:7448676Venkat<p>Why are we doing a PAC verification for a computer account while doing a logon? </p> <p>I thought PAC verification is carried out only if a service is run as a user account and not with local system.</p> <p>Since the computer account would have the Tcbprivilege, why do we do a PAC validation?</p> http://blogs.msdn.com/spatdsg/archive/2007/03/07/pac-validation.aspx#9512535Fri, 27 Mar 2009 03:53:30 GMT91d46819-8472-40ad-a661-2c78acb4018c:9512535Spat's WebLog (Steve Patrick)<p>I had been meaning to blog about this for a while, and recently was teaching a class when a friend of</p> http://blogs.msdn.com/spatdsg/archive/2007/03/07/pac-validation.aspx#9599501Sat, 09 May 2009 21:39:56 GMT91d46819-8472-40ad-a661-2c78acb4018c:9599501OpenSpecification<p>Edgar's post on Open Specification blog: Understanding Microsoft Kerberos PAC Validation</p> http://blogs.msdn.com/spatdsg/archive/2007/03/07/pac-validation.aspx#9908187Fri, 16 Oct 2009 14:01:36 GMT91d46819-8472-40ad-a661-2c78acb4018c:9908187Ross<p>I know this is an old topic and I hate to be a bit stroppy here, but as a Network guy who has just experienced this problem...</p> <p>You have a fault that causes all apps to be uninstalled if the network &quot;fails&quot; or experiences a &quot;transient fault&quot;. &nbsp;Hello - wireless roaming anyone? 3G access in trains? VPN's over the internet? </p> <p>Sorry, but how can this ever be interpreted as a network issue? Network connections come and go (sometimes for very good reasons - congested hubs / access lists/firewalls.), The application should simply acknowledge the failure to complete the authentication and move on - not trigger this type of event.</p> <p>Be fair, this is plainly an unfortunate oversight or poor coding.</p> http://blogs.msdn.com/spatdsg/archive/2007/03/07/pac-validation.aspx#9915905Sun, 01 Nov 2009 18:16:16 GMT91d46819-8472-40ad-a661-2c78acb4018c:9915905SpatDSG<p>Agreed! That's why we developed the hotfix in <a rel="nofollow" target="_new" href="http://support.microsoft.com/?kbid=929624">http://support.microsoft.com/?kbid=929624</a></p>