OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: (Fwd) Re: Win2000 and BIND GSS-TSIG Interoperability?
From: Paul Leach (paulleEXCHANGE.MICROSOFT.COM)
Date: Tue Mar 14 2000 - 15:23:08 CST

> -----Original Message-----
> From: Luke Kenneth Casson Leighton [mailto:lkclSAMBA.ORG]
> Sent: Tuesday, March 14, 2000 11:03 AM
> To: NTBUGTRAQLISTSERV.NTBUGTRAQ.COM
> Subject: Re: (Fwd) Re: Win2000 and BIND GSS-TSIG Interoperability?
>
> for the record, there was absolutely no need for microsoft to turn an
> authentication mechanism (kerberos) into a user-profile-providing
> mechanism (by adding the PAC authentication field), it just fitted in
> better with their internal APIs to do this. with not much
> extra trouble
> they could have (and still can) extend and then use a proprietary,
> pre-existing mechanism (for example, \PIPE\NETLOGON).

For the record, if there is no such need, why did the OSF DCE do exactly the
same thing more than ten years ago?

My previous response to Paul Hill's post described how use of PACs reduces
load on servers and DCs, which is why we (and the DCE) did it. Authorization
data is computed once at logon time instead of once per authentication.

As for "fitting our internal APIs better", that's nonsense. If we had
expanded the group information at each authentication, that would have been
_more_ like the existing structure of NTLM, which does the same thing, not
less.

Paul