I am trying to extract group membership information from a Kerberos ticket generated on windows2008r2.
I found the following expression in the URL: Kerberos also explores mechanisms for including group membership information in Kerberos authorization data. Although it would be beneficial to include group names in ACLs, the GSS-API does not currently have a mechanism to support this.
Microsoft seems to have expanded Kerberos to include group membership based on this URL: http://msdn.microsoft.com/en-us/library/ms817918.aspx : Kerberos authentication group membership extensions extend the Kerberos Network Service specification ( version 5) to support interactive login authentication and group membership information for the Microsoft Windows operating system. Extensions include an Access Certificate Structure (PAC) located in the Kerberos v5 ticket authorization data field.
This URL refers to the field (authorization data) on the ticket, which I cannot determine how to access using this API: http://docs.oracle.com/javase/6/docs/api/org/ietf/ jgss / GSSContext.html
Does anyone know how to access this field? Or perhaps a guide to extracting group information from a Kerberos ticket created on Windows2008r2.
I write in Java, but also want to write in C. The logic for extracting group information from a ticket is performed on UNIX, despite using windows as the kerberos server.
Thanks for any help you can give me!
source share