krb5.pac.validation

This configuration parameter specifies whether or not to verify that the user's PAC (Privilege Authorization Certificate) information is from a trusted KDC (Key Distribution Center) so as to prevent what's referred to as a "silver ticket" attack.

When performing credential verification, a service ticket is fetched for the local system. After the credential is verified, the local system uses the PAC information in the service ticket.

This setting take effect when krb5.verify.credentials is enabled or when DirectControl is using the user's PAC from a service ticket. This setting does not apply to retrieving the PAC by way of the S4U2Self protocol.

There are 3 possible values for krb.pac.validation:

  • disabled (default): NO PAC validation will be done at all.
  • enabled: If PAC Validation fails, the PAC information is used and the user login is allowed.
  • enforced: If PAC Validation fails, the PAC information is discarded and the user login is denied.

Setting this parameter to enabled or enforced will have significant impact on the user login and user's group fetch performance.

For example:

krb5.pac.validation: disabled

If this parameter is not defined in the configuration file, its default value is disabled.