Re: will the TGT destroyed if user locks windows

From: christy (
Date: 07/02/04

Date: Thu, 1 Jul 2004 19:24:06 -0700

Hi Joe,

If the machine wants to do a
verification of password only, it can simply compare the
hash of the
password entered by the user when he wants to unlock the
machine with
the cached of the hash password that has been saved before
during the
login process right ?
In this way, there is no need to consult the KDC...

What do you think ?

>-----Original Message-----
>You mean that the windows client simply sends AS-REQ and
>TGS-REQ to MIT KDC just to verify the password ? And in
>this case the TGT and ticket that it has retained
>previously aren't destroyed ? I did notice that the TGT is
>renewed. So, I can set the registry not to renew the TGT ?
>Thank you for your reply !
>>-----Original Message-----
>>Most likely the machine is simply doing a live verify of
>the password, it isn't
>>querying the KDC to get a new TGT for use by the machine,
>just making sure the
>>person typing the password to unlock the machine is valid
>and nothing has
>>happened to that ID in the meanwhile since it was locked.
>This happens against
>>Windows Domains as well. I believe there is a registry
>change that can be made
>>that will tell the client to instead use cached info.
>>Joe Richards Microsoft MVP Windows Server Directory Services
>>christy wrote:
>>> Hello,
>>> I have a win2k machine which is a member of MIT Realm.
>>> A user who has an account in the MIT Realm logs on
>>> using the win2k machine.
>>> Using klist, I can see there are two tickets:
>>> - 1 TGT, with the MIT KDC
>>> - 1 session ticket with the win2k machine
>>> What will happen when the user locks the machine ?
>>> Will he lose the tickets ?
>>> Based on my experiment, when the user locks the
>>> machine, and then unlocks it, AS-REQ and TGS-REQ are
>>> reinitiated (recorded in the log file of KDC).
>>> Logically, this means that klist will show new TGT and
>>> new session ticket.
>>> However, my observation shows that the session ticket
>>> with the win2k machine is the initial ticket (before
>>> locking the machine) !! The TGT is a new one. If the
>>> TGS-REQ is negotiated with the KDC, what happens with
>>> the new session ticket ? why can't I see it with klist
>>> ?
>>> Another doubt is about the logon process in windows
>>> machine. Does the user negotiate a KDC_AP_REQ with the
>>> windows machine upon AS-REQ and TGS-REQ with the KDC ?
>>> From the windows 2000 white paper, it seems that only
>>> AS-REQ and TGS-REQ are required for a user to logs in
>>> into the windows machine...
>>> Hope somebody can help me to clear my doubts