Re: will the TGT destroyed if user locks windows

From: christy (anonymous_at_discussions.microsoft.com)
Date: 07/02/04


Date: Thu, 1 Jul 2004 18:57:39 -0700

You mean that the windows client simply sends AS-REQ and
TGS-REQ to MIT KDC just to verify the password ? And in
this case the TGT and ticket that it has retained
previously aren't destroyed ? I did notice that the TGT is
renewed. So, I can set the registry not to renew the TGT ?

Thank you for your reply !

>-----Original Message-----
>Most likely the machine is simply doing a live verify of
the password, it isn't
>querying the KDC to get a new TGT for use by the machine,
just making sure the
>person typing the password to unlock the machine is valid
and nothing has
>happened to that ID in the meanwhile since it was locked.
This happens against
>Windows Domains as well. I believe there is a registry
change that can be made
>that will tell the client to instead use cached info.
>
>--
>Joe Richards Microsoft MVP Windows Server Directory Services
>www.joeware.net
>
>
>
>christy wrote:
>> Hello,
>>
>> I have a win2k machine which is a member of MIT Realm.
>> A user who has an account in the MIT Realm logs on
>> using the win2k machine.
>>
>> Using klist, I can see there are two tickets:
>> - 1 TGT, with the MIT KDC
>> - 1 session ticket with the win2k machine
>>
>> What will happen when the user locks the machine ?
>> Will he lose the tickets ?
>>
>> Based on my experiment, when the user locks the
>> machine, and then unlocks it, AS-REQ and TGS-REQ are
>> reinitiated (recorded in the log file of KDC).
>> Logically, this means that klist will show new TGT and
>> new session ticket.
>>
>> However, my observation shows that the session ticket
>> with the win2k machine is the initial ticket (before
>> locking the machine) !! The TGT is a new one. If the
>> TGS-REQ is negotiated with the KDC, what happens with
>> the new session ticket ? why can't I see it with klist
>> ?
>>
>> Another doubt is about the logon process in windows
>> machine. Does the user negotiate a KDC_AP_REQ with the
>> windows machine upon AS-REQ and TGS-REQ with the KDC ?
>> From the windows 2000 white paper, it seems that only
>> AS-REQ and TGS-REQ are required for a user to logs in
>> into the windows machine...
>>
>> Hope somebody can help me to clear my doubts
>.
>



Relevant Pages

  • Re: will the TGT destroyed if user locks windows
    ... Joe Richards Microsoft MVP Windows Server Directory Services ... there is no need to consult the KDC... ... I did notice that the TGT is ... >>>>- 1 session ticket with the win2k machine ...
    (microsoft.public.win2000.security)
  • Re: will the TGT destroyed if user locks windows
    ... Joe Richards Microsoft MVP Windows Server Directory Services ... > - 1 TGT, with the MIT KDC ... my observation shows that the session ticket ...
    (microsoft.public.win2000.security)
  • Re: will the TGT destroyed if user locks windows
    ... the cached of the hash password that has been saved before ... there is no need to consult the KDC... ... I did notice that the TGT is ... >>Windows Domains as well. ...
    (microsoft.public.win2000.security)
  • fetching a TGT for service principal
    ... microsoft KDC in mixed environments. ... My environment is unix client and server and windows ... I was able to fetch a TGT for this service principal sometime ...
    (comp.protocols.kerberos)
  • Re: 1030 / 40961 / 673 on DC - MVP wanted
    ... You cannot access network resources after you try to log on to a Windows XP ... User-specific Kerberos Ticket-Granting Tickets (TGT) are not renewed. ... Failure Code 0X20 (Ticket Expired?) ...
    (microsoft.public.windows.server.active_directory)