Re: will the TGT destroyed if user locks windows
From: Joe Richards [MVP] (humorexpress_at_hotmail.com)
Date: 07/02/04
- Next message: user72th: "log on to windows password and user error"
- Previous message: Laura E. Hunter \(MVP\): "Re: ACCESS DENINED"
- In reply to: christy: "Re: will the TGT destroyed if user locks windows"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 02 Jul 2004 10:06:46 -0400
I agree and that is the functionality you use if you tell the client to not
reverify domain ccredentials on unlock. Unfortunately I know that there is an
entry for this, I don't know what the specific entry is. If youpoke around in
your local security policy you may find it. If you can't find it after looking,
let me know and I will see if I can find it.
-- Joe Richards Microsoft MVP Windows Server Directory Services www.joeware.net christy wrote: > Hi Joe, > > If the machine wants to do a > verification of password only, it can simply compare the > hash of the > password entered by the user when he wants to unlock the > machine with > the cached of the hash password that has been saved before > during the > login process right ? > In this way, there is no need to consult the KDC... > > What do you think ? > > >>-----Original Message----- >>You mean that the windows client simply sends AS-REQ and >>TGS-REQ to MIT KDC just to verify the password ? And in >>this case the TGT and ticket that it has retained >>previously aren't destroyed ? I did notice that the TGT is >>renewed. So, I can set the registry not to renew the TGT ? >> >>Thank you for your reply ! >> >> >>>-----Original Message----- >>>Most likely the machine is simply doing a live verify of >> >>the password, it isn't >> >>>querying the KDC to get a new TGT for use by the machine, >> >>just making sure the >> >>>person typing the password to unlock the machine is valid >> >>and nothing has >> >>>happened to that ID in the meanwhile since it was locked. >> >>This happens against >> >>>Windows Domains as well. I believe there is a registry >> >>change that can be made >> >>>that will tell the client to instead use cached info. >>> >>>-- >>>Joe Richards Microsoft MVP Windows Server Directory Services >>>www.joeware.net >>> >>> >>> >>>christy wrote: >>> >>>>Hello, >>>> >>>>I have a win2k machine which is a member of MIT Realm. >>>>A user who has an account in the MIT Realm logs on >>>>using the win2k machine. >>>> >>>>Using klist, I can see there are two tickets: >>>>- 1 TGT, with the MIT KDC >>>>- 1 session ticket with the win2k machine >>>> >>>>What will happen when the user locks the machine ? >>>>Will he lose the tickets ? >>>> >>>>Based on my experiment, when the user locks the >>>>machine, and then unlocks it, AS-REQ and TGS-REQ are >>>>reinitiated (recorded in the log file of KDC). >>>>Logically, this means that klist will show new TGT and >>>>new session ticket. >>>> >>>>However, my observation shows that the session ticket >>>>with the win2k machine is the initial ticket (before >>>>locking the machine) !! The TGT is a new one. If the >>>>TGS-REQ is negotiated with the KDC, what happens with >>>>the new session ticket ? why can't I see it with klist >>>>? >>>> >>>>Another doubt is about the logon process in windows >>>>machine. Does the user negotiate a KDC_AP_REQ with the >>>>windows machine upon AS-REQ and TGS-REQ with the KDC ? >>>>>From the windows 2000 white paper, it seems that only >>>>AS-REQ and TGS-REQ are required for a user to logs in >>>>into the windows machine... >>>> >>>>Hope somebody can help me to clear my doubts >>> >>>. >>> >> >>. >>
- Next message: user72th: "log on to windows password and user error"
- Previous message: Laura E. Hunter \(MVP\): "Re: ACCESS DENINED"
- In reply to: christy: "Re: will the TGT destroyed if user locks windows"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
