Are Domain Local Groups in the PAC?

Michael B Allen ioplex at
Tue Nov 27 17:35:37 GMT 2007

On 11/27/07, ronnie sahlberg <ronniesahlberg at> wrote:
> Are there any differences in how the request pdu is constructed,
> extra flags in KDCOptions or similar or extra flags
> in the preauthentication header ?
> when it requests a http service ticket compared to a cifs ticket?

Hi Ronnie,

TGS-REQs are:

Realm: W.NET
Name: HTTP/
Name type: Service and Instance (2)
KDCOptions: Forwardable, Renewable

Realm: W.NET
Name: cifs/
Name type: Service and Instance (2)
KDCOptions: Forwardable, Renewable

Both requests are from the same XP machine to Windows 2003 Server.

> If you decrypt the tickets with wireshark, make sure to check all the
> bytes in the hexdump in there in case it "skips" something unknown.

Yeah, I scaned over the whole PAC looking for the hex values of RIDs
for DLGs the user is in. But what is more compelling is that when I
add and remove the user to and from a Domain Local group the
HTTP/ TGS-REP's size does not change whereas for
cifs/ it's size does change by 40 bytes for each DLG.

> So, when you add two DLGs then it changes by 80 bytes in size?

Yup. Exactly.

> In an all w2k environment I recall that the client will request a http
> ticket by specifying that it wants constrained-delegation.
> Maybe this affects what gets stored inside the pac?

The Contrainted Delegation flag in the KDCOptions field is not set in
either TGS-REQ so I don't think DC is involved.

I think maybe AD is selectively leaving out Domain Local groups for
HTTP service tickets. Maybe because authentication occurs with every
single request they're tyring to speed things up.


> On Nov 27, 2007 7:10 PM, Michael B Allen <ioplex at> wrote:
> > On 11/26/07, Michael B Allen <ioplex at> wrote:
> > > Hi,
> > >
> > > I'm doing some network analysis of Windows 2003 Server and I've
> > > noticed that Domain Local Groups are not in the PAC. Is that right?
> > > All the docs seem to indicate that DLGs should be in the PAC but I've
> > > captured some TGS-REPs for HTTP session tickets and they're not.
> >
> > The size of the TGS-REP for a cifs ticket changes by 40 bytes when a
> > Domain Local group is added or removed. For an HTTP ticket it does not
> > change. So it seems that DLGs are not included in HTTP session tickets
> > but they are in cifs tickets.
> >
> > Mike
> >

Michael B Allen
PHP Active Directory SPNEGO SSO

More information about the samba-technical mailing list