2010-12-13

SPNEGO Insanity

A year ago we implimented SSO via SPNEGO for one of our applications at work.
After increasing header sizes on various layers, it has seemed to work ok.
This past weekend, it blew up in our faces as during an upgrade, the people who were supposed to test the application couldn't login.  It seems that there have been numerous groups added due to a fileserver migration and it pushed there kerberos ticket size of the limit we could handle.

Reason for this is something called the PAC, which is a Microsoft only tweak to the Kerberos V protocol that includes authorization info (basically the SID of the groups your in).  Since the application is Java, and only wants to know who you are (it still gets your rights from its own database), this information is completely useless.

After trying to find what piece in the puzzle was dropping the packet, I came across a technet article that tells you how to turn it off.  Basically you just modify the value of the userAccountControl attribute in AD for the Service Account user (not your useraccount, that would be bad).  The value (in hex) is 2000000, so remember to OR that with the current value. More information about the values of userAccountControl is here.

This is good, because we are going to be migrating our Linux hosts to use AD for authentication (I'll post instructions for that later as it took forever to find the right tweaks to get all of the box using Kerberos - no stupid LDAP account in the ldap.conf file) and this might affect them as well.

An update - msktutil has this option, just specify --no-pac.  I was going to add it, but it was already there.