1.1.1.1 Authorization Information (PAC)
For a server implementation of an authentication protocol, the result of the authentication produces a variety of data. Some of the data is related to the authentication protocol, such as keys for encrypted communication, and is covered in the relevant authentication protocol specification. Additionally, after the identity of the client is determined, additional data that corresponds to authorization of the client to the server is derived. This authorization information is frequently referred to as a Privilege Attribute Certificate (PAC), and it contains group memberships and claims, or group memberships from the domain controller. Each authentication protocol uses its own specific data structure to carry the authorization information. This table lists the mapping of the authentication protocol with authorization structures.
|
Authentication protocol |
Authorization data structure |
Reference technical documents |
|---|---|---|
|
Kerberos Protocol Extensions |
Privilege attribute certificate |
|
|
Public Key Cryptography for Initial Authentication (PKINIT) in Kerberos Protocol |
Privilege attribute certificate |
[MS-PAC] |
|
NT LAN Manager (NTLM) Authentication Protocol |
NETLOGON_VALIDATION_SAM_INFO |
|
|
Digest Protocol Extensions |
Privilege attribute certificate |
[MS-PAC] [MS-APDS] |
|
Secure Sockets Layer (SSL)/ Transport Layer Security (TLS) protocols |
Privilege attribute certificate |
[MS-PAC] |