SPNEGO Insanity

A year ago we implimented SSO via SPNEGO for one of our applications at work.
After increasing header sizes on various layers, it has seemed to work ok.
This past weekend, it blew up in our faces as during an upgrade, the people who were supposed to test the application couldn't login.  It seems that there have been numerous groups added due to a fileserver migration and it pushed there kerberos ticket size of the limit we could handle.

Reason for this is something called the PAC, which is a Microsoft only tweak to the Kerberos V protocol that includes authorization info (basically the SID of the groups your in).  Since the application is Java, and only wants to know who you are (it still gets your rights from its own database), this information is completely useless.

After trying to find what piece in the puzzle was dropping the packet, I came across a technet article that tells you how to turn it off.  Basically you just modify the value of the userAccountControl attribute in AD for the Service Account user (not your useraccount, that would be bad).  The value (in hex) is 2000000, so remember to OR that with the current value. More information about the values of userAccountControl is here.

This is good, because we are going to be migrating our Linux hosts to use AD for authentication (I'll post instructions for that later as it took forever to find the right tweaks to get all of the box using Kerberos - no stupid LDAP account in the ldap.conf file) and this might affect them as well.

An update - msktutil has this option, just specify --no-pac.  I was going to add it, but it was already there.


...and so it begins

Ok, I finally gave in to this online ranting and raving software we call a blog.
Not due to the fact that I want to rant and rave about things, but mostly because I want a place to write down procedures, scripts, what I'm thinking about the meaning of science and math, and leave my brain open for understanding instead of remembering.

Why "The Genius of Insanity"?, well because I believe that genius is properly directed insanity.  Insane people look at the world differently then most people, and can be considered genius if they use that out of the box thinking to the benefit of mankind.

Let me say now that I am by far not a genius, and hopefully not considered insane by anyone worth stating it either.  I just want to take this genius and make it comprehensible to me and hopefully others.

Anyway, enough about that.
I will put up some content in a little bit.