KRB_AP_ERR_TKT_EXPIRED during last 120 seconds of ticket lifetime

[Robbert Eggermont]

Hi all,

After we updated to Windows 2012R2, we noticed that the KDC already 
returns KRB_AP_ERR_TKT_EXPIRED during the last 120 seconds of ticket 
lifetime, which can cause problems with authentication and ticket renewal.

Before, tickets were accepted right up to the end of the ticket 
lifetime. This seems the intended behavior according to the Kerberos 5 
specification (RFC 1510): "if the current [local server] time is later 
than end time by more than the allowable clock skew, the 
KRB_AP_ERR_TKT_EXPIRED error is returned."

We contacted Microsoft about this behavior, since KB2877460 
(https://support.microsoft.com/en-us/kb/2877460) seems to acknowledge 
that returning KRB_AP_ERR_TKT_EXPIRED early can cause issues, and that 
an hotfix was released to fixed this. Unfortunately, according to 
Microsoft, Windows 2012R2 already includes this fix.

I was wondering if anybody has an idea why the Windows 2012R2 KDC would 
want to return KRB_AP_ERR_TKT_EXPIRED before the actual end time, and 
whether this behavior is correct or not?

-- 
Robbert Eggermont                                  Intelligent Systems
R.Eggermont at tudelft.nl         Electr.Eng., Mathematics & Comp.Science
+31 15 27 83234                         Delft University of Technology