Re: will the TGT destroyed if user locks windows
From: christy (anonymous_at_discussions.microsoft.com)
Date: Thu, 1 Jul 2004 18:57:39 -0700
You mean that the windows client simply sends AS-REQ and
TGS-REQ to MIT KDC just to verify the password ? And in
this case the TGT and ticket that it has retained
previously aren't destroyed ? I did notice that the TGT is
renewed. So, I can set the registry not to renew the TGT ?
Thank you for your reply !
>Most likely the machine is simply doing a live verify of
the password, it isn't
>querying the KDC to get a new TGT for use by the machine,
just making sure the
>person typing the password to unlock the machine is valid
and nothing has
>happened to that ID in the meanwhile since it was locked.
This happens against
>Windows Domains as well. I believe there is a registry
change that can be made
>that will tell the client to instead use cached info.
>Joe Richards Microsoft MVP Windows Server Directory Services
>> I have a win2k machine which is a member of MIT Realm.
>> A user who has an account in the MIT Realm logs on
>> using the win2k machine.
>> Using klist, I can see there are two tickets:
>> - 1 TGT, with the MIT KDC
>> - 1 session ticket with the win2k machine
>> What will happen when the user locks the machine ?
>> Will he lose the tickets ?
>> Based on my experiment, when the user locks the
>> machine, and then unlocks it, AS-REQ and TGS-REQ are
>> reinitiated (recorded in the log file of KDC).
>> Logically, this means that klist will show new TGT and
>> new session ticket.
>> However, my observation shows that the session ticket
>> with the win2k machine is the initial ticket (before
>> locking the machine) !! The TGT is a new one. If the
>> TGS-REQ is negotiated with the KDC, what happens with
>> the new session ticket ? why can't I see it with klist
>> Another doubt is about the logon process in windows
>> machine. Does the user negotiate a KDC_AP_REQ with the
>> windows machine upon AS-REQ and TGS-REQ with the KDC ?
>> From the windows 2000 white paper, it seems that only
>> AS-REQ and TGS-REQ are required for a user to logs in
>> into the windows machine...
>> Hope somebody can help me to clear my doubts