1.1.1.1 Authorization Information (PAC)

For a server implementation of an authentication protocol, the result of the authentication produces a variety of data. Some of the data is related to the authentication protocol, such as keys for encrypted communication, and is covered in the relevant authentication protocol specification. Additionally, after the identity of the client is determined, additional data that corresponds to authorization of the client to the server is derived. This authorization information is frequently referred to as a Privilege Attribute Certificate (PAC), and it contains group memberships and claims, or group memberships from the domain controller. Each authentication protocol uses its own specific data structure to carry the authorization information. This table lists the mapping of the authentication protocol with authorization structures.

Authentication protocol

Authorization data structure

Reference technical documents

Kerberos Protocol Extensions

Privilege attribute certificate

[MS-PAC]

Public Key Cryptography for Initial Authentication (PKINIT) in Kerberos Protocol

Privilege attribute certificate

[MS-PAC]

NT LAN Manager (NTLM) Authentication Protocol

NETLOGON_VALIDATION_SAM_INFO

[MS-APDS]

[MS-NRPC]

Digest Protocol Extensions

Privilege attribute certificate

[MS-PAC]

[MS-DPSP]

[MS-APDS]

Secure Sockets Layer (SSL)/ Transport Layer Security (TLS) protocols

Privilege attribute certificate

[MS-PAC]

[MS-RCMP]

Show: