Re: will the TGT destroyed if user locks windows

From: Joe Richards [MVP] (humorexpress_at_hotmail.com)
Date: 07/02/04


Date: Fri, 02 Jul 2004 10:06:46 -0400

I agree and that is the functionality you use if you tell the client to not
reverify domain ccredentials on unlock. Unfortunately I know that there is an
entry for this, I don't know what the specific entry is. If youpoke around in
your local security policy you may find it. If you can't find it after looking,
let me know and I will see if I can find it.

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net
christy wrote:
> Hi Joe,
> 
> If the machine wants to do a
> verification of password only, it can simply compare the
> hash of the
> password entered by the user when he wants to unlock the
> machine with
> the cached of the hash password that has been saved before
> during the
> login process right ?
> In this way, there is no need to consult the KDC...
> 
> What do you think ? 
> 
> 
>>-----Original Message-----
>>You mean that the windows client simply sends AS-REQ and
>>TGS-REQ to MIT KDC just to verify the password ? And in
>>this case the TGT and ticket that it has retained
>>previously aren't destroyed ? I did notice that the TGT is
>>renewed. So, I can set the registry not to renew the TGT ?
>>
>>Thank you for your reply !
>>
>>
>>>-----Original Message-----
>>>Most likely the machine is simply doing a live verify of
>>
>>the password, it isn't 
>>
>>>querying the KDC to get a new TGT for use by the machine,
>>
>>just making sure the 
>>
>>>person typing the password to unlock the machine is valid
>>
>>and nothing has 
>>
>>>happened to that ID in the meanwhile since it was locked.
>>
>>This happens against 
>>
>>>Windows Domains as well. I believe there is a registry
>>
>>change that can be made 
>>
>>>that will tell the client to instead use cached info.
>>>
>>>--
>>>Joe Richards Microsoft MVP Windows Server Directory Services
>>>www.joeware.net
>>>
>>>
>>>
>>>christy wrote:
>>>
>>>>Hello,
>>>>
>>>>I have a win2k machine which is a member of MIT Realm.
>>>>A user who has an account in the MIT Realm logs on
>>>>using the win2k machine. 
>>>>
>>>>Using klist, I can see there are two tickets:
>>>>- 1 TGT, with the MIT KDC
>>>>- 1 session ticket with the win2k machine
>>>>
>>>>What will happen when the user locks the machine ?
>>>>Will he lose the tickets ?
>>>>
>>>>Based on my experiment, when the user locks the
>>>>machine, and then unlocks it, AS-REQ and TGS-REQ are
>>>>reinitiated (recorded in the log file of KDC). 
>>>>Logically, this means that klist will show new TGT and
>>>>new session ticket.
>>>>
>>>>However, my observation shows that the session ticket
>>>>with the win2k machine is the initial ticket (before
>>>>locking the machine) !! The TGT is a new one. If the
>>>>TGS-REQ is negotiated with the KDC, what happens with
>>>>the new session ticket ? why can't I see it with klist
>>>>?
>>>>
>>>>Another doubt is about the logon process in windows
>>>>machine. Does the user negotiate a KDC_AP_REQ with the
>>>>windows machine upon AS-REQ and TGS-REQ with the KDC ?
>>>>>From the windows 2000 white paper, it seems that only
>>>>AS-REQ and TGS-REQ are required for a user to logs in
>>>>into the windows machine...
>>>>
>>>>Hope somebody can help me to clear my doubts
>>>
>>>.
>>>
>>
>>.
>>


Relevant Pages

  • Re: will the TGT destroyed if user locks windows
    ... Joe Richards Microsoft MVP Windows Server Directory Services ... > - 1 TGT, with the MIT KDC ... my observation shows that the session ticket ...
    (microsoft.public.win2000.security)
  • Re: will the TGT destroyed if user locks windows
    ... TGS-REQ to MIT KDC just to verify the password? ... I did notice that the TGT is ... >Windows Domains as well. ... my observation shows that the session ticket ...
    (microsoft.public.win2000.security)
  • Re: will the TGT destroyed if user locks windows
    ... the cached of the hash password that has been saved before ... there is no need to consult the KDC... ... I did notice that the TGT is ... >>Windows Domains as well. ...
    (microsoft.public.win2000.security)
  • fetching a TGT for service principal
    ... microsoft KDC in mixed environments. ... My environment is unix client and server and windows ... I was able to fetch a TGT for this service principal sometime ...
    (comp.protocols.kerberos)
  • Re: 1030 / 40961 / 673 on DC - MVP wanted
    ... You cannot access network resources after you try to log on to a Windows XP ... User-specific Kerberos Ticket-Granting Tickets (TGT) are not renewed. ... Failure Code 0X20 (Ticket Expired?) ...
    (microsoft.public.windows.server.active_directory)