[cifs-protocol] {REG:110092746298128] RE: krbtgt key to sign PAC with on an RODC

Tom Jebo tomjebo at microsoft.com
Mon Sep 27 06:57:57 MDT 2010

Good morning Andrew, 

Thank you for your question regarding [MS-PAC].  One of the Open Specifications engineers with followup with you shortly.   Your case number for reference is: 110092746298128

Best regards,
Tom Jebo
Escalation Engineer
Microsoft Open Specifications

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org] 
Sent: Monday, September 27, 2010 7:25 AM
To: Interoperability Documentation Help
Cc: cifs-protocol at samba.org
Subject: krbtgt key to sign PAC with on an RODC

If a RODC signs the PAC with the krbtgt key of the RODC, how is this marked in the PAC, so that another DC can verify the PAC if presented over NetLogon?

MS-PAC 2.8.2 KDC Signature does not make this very clear. 

Does a RODC not provide this signature, as it can't get a the krbtgt key, or does it use it's own krbtgt?  

Andrew Bartlett
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.

More information about the cifs-protocol mailing list