How to retrieve group membership from a kerberos ticket?

I am trying to extract group membership information from a Kerberos
ticket generated on windows2008r2.

In this URL:
http://www.cs.wustl.edu/~jain/cse571...api/index.html

I found the following statement:
Kerberos is also looking into mechanisms to include group membership
information in Kerberos authorization data. Although it would be
favorable to include group names into ACLs, GSS-API currently does not
have a mechanism to support this.

It seems Microsoft has extended Kerberos to include group membership
based on this URL:
http://msdn.microsoft.com/en-us/library/ms817918.aspx:
The Kerberos Authentication Group Membership Extensions extend the
Kerberos Authentication Network Service (version 5) specification to
support interactive logon authentication and group membership
information for the Microsoft Windows operating system. Extensions
include the Privilege Access Certificate (PAC) structure, located in
the authorization data field of the Kerberos v5 ticket.

That URL references a field (Authorization Data) in the ticket that I
cannot determine how to access using this API:
http://docs.oracle.com/javase/6/docs...SSContext.html

My hope is that you can tell me how to get access to that field.
Or perhaps guidance on how to extract the group information from a
Kerberos Ticket Generated on Windows2008r2.

I am writing in Java, but would also be willing to write in C. The
logic to extract the group information from the ticket is running on
UNIX despite using windows as the kerberos server.

Thank you for any help you can give me!

On Wed, 23 Nov 2011 00:08:43 -0800, jason wrote:

> I am trying to extract group membership information from a Kerberos
> ticket generated on windows2008r2.
>
> In this URL:
> http://www.cs.wustl.edu/~jain/cse571...api/index.html
>
> I found the following statement:
> Kerberos is also looking into mechanisms to include group membership
> information in Kerberos authorization data. Although it would be
> favorable to include group names into ACLs, GSS-API currently does not
> have a mechanism to support this.
>
> It seems Microsoft has extended Kerberos to include group membership
> based on this URL:
> http://msdn.microsoft.com/en-us/library/ms817918.aspx: The Kerberos
> Authentication Group Membership Extensions extend the Kerberos
> Authentication Network Service (version 5) specification to support
> interactive logon authentication and group membership information for
> the Microsoft Windows operating system. Extensions include the Privilege
> Access Certificate (PAC) structure, located in the authorization data
> field of the Kerberos v5 ticket.
>
> That URL references a field (Authorization Data) in the ticket that I
> cannot determine how to access using this API:
> http://docs.oracle.com/javase/6/docs...SSContext.html
>
> My hope is that you can tell me how to get access to that field. Or
> perhaps guidance on how to extract the group information from a Kerberos
> Ticket Generated on Windows2008r2.
>
> I am writing in Java, but would also be willing to write in C. The
> logic to extract the group information from the ticket is running on
> UNIX despite using windows as the kerberos server.
>
> Thank you for any help you can give me!

Microsoft don't monitor these forums any more so you might have better
luck here - http://connect.microsoft.com/MicrosoftForums/

note that the Kerberos ticket is encrypted with the service session key,
so depends on where you are trying to inspect the kerberos packet.
More info here - http://blogs.technet.com/b/askds/archive/2008/03/06/
kerberos-for-the-busy-admin.aspx
You can also look through the protocol documentation on msdn (http://
msdn.microsoft.com/en-us/library/cc246071(v=PROT.13).aspx) which should
contain the level of detail you are after.
HTH
--
Pete