MIT/Win2k/XP Kerberos trust relationship bug?
Wachdorf, Daniel R
drwachd at sandia.gov
Tue Jul 13 14:27:15 EDT 2004
Are you talking a login using the windows gina and typing in
username at MIT.REALM? Which then uses trust between MIT.REALM and
ACTIVEDIRECTORY.REALM?
When I run that, I don't have the problem. I can lock my XP box fine, come
back and I still have my tgt for mit.realm and the cross realm ticket for
activedorectory.realm. further requests for tickets work fine.
-dan
> -----Original Message-----
> From: Brian Davidson [mailto:bdavids1 at gmu.edu]
> Sent: Tuesday, July 13, 2004 11:43 AM
> To: kerberos at mit.edu
> Subject: MIT/Win2k/XP Kerberos trust relationship bug?
>
> Hi,
>
> I saw this question in the archives (May 4, 2002), but with no
> responses. We're running into this issue, and I was wondering if there
> was any workaround [yet]?
>
> The configuration - MIT KDC is "primary" KDC, and Windows AD KDC trusts
> the MIT KDC.
>
> The problem:
> 1. From an XP workstation which a member of the AD, authenticate
> against the MIT realm
> 2. Lock the workstation
> 3. Unlock the workstation
>
> At this point, you've lost virtually all of your tickets, and you can't
> access resources in the AD. I haven't found any patches, but maybe I
> don't know the secret code word to put into the Microsoft
> Knowledgebase, or Google.
>
> Based on packet traces, I'm convinced it's a Windows 2000/XP bug. It's
> the workstation which forgets its tickets, and then neglects to ask for
> new ones.
>
> If there isn't a fix available, I guess I'll write a GINA which acts as
> a pass-through to the default GINA for all GINA functions except for
> WlxWkstaLockedSAS(). I'm assuming it's dumping the tickets when
> WlxWkstaLockedSAS acquires a new TGT from the MIT realm...
>
> Thanks for any help,
>
> Brian Davidson
> George Mason University
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list