Lars NoodC)n wrote:
bofh wrote:
http://msdn2.microsoft.com/en-us/library/ms818754.aspx
Read the page topic and search for the word "PAC "
Several links in it appears to confirm that a broken version of
Kerberos is still used:
"The Kerberos Authentication Group Membership
Extensions extend the Kerberos Authentication
Network Service (version 5) specification..."
Extend == not a standard anymore.
Yes a client can be hacked, and many appear to be, to accommodate a
non-standard protocol. But at the end of the day it's still not a
standard.
-Lars
From the very first story you linked:
"This field was intentionally left undefined by Kerberos's authors so
that vendors (like Microsoft) could implement customized versions."
"Let's be clear on one thing: Microsoft's customization of the
authorization placeholder field is entirely legitimate. Others,
including the OSF with its DCE specification, have customized Kerberos
in a similar manner. What's at issue here isn't Microsoft's Kerberos
extensions, but the company's disingenuous ownership claims, onerous
licensing policies, and bullying tactics."
The author (like you, perhaps) doesn't like Microsoft's tactics, but
notes that their changes are "entirely legitimate".
Regards,
Mark
