How does Quest Authentication Services (QAS/VAS) handle the Windows authorization data that is written into the Privilege Attribute Certificate (PAC) field of a ticket granting service request (TGS) received from an Active Directory (AD) Kerberos Distribution center?
There are several pieces of authorization data contained in the PAC which VAS does not use directly, such as: "Password expiration time" and the "User Account control flags" (account disabled, etc.). This information is stored for every user in AD and VAS caches this information so that it can honor all of it when a user authenticates through VAS in a way that does not require a TGS, which contains the PAC (for example: SSH key authentication).
To summarize, we honor all of the authorization data that is contained in the PAC (although we may not use it directly from the PAC), with the exception of "Logoff time" and "Kickoff time", which we do not enforce on UNIX clients at this time.
© ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center