What happens to TGT and tickets when user locks the windows machine
Jeffrey Altman
jaltman2 at nyc.rr.com
Fri Jul 2 13:58:17 EDT 2004
Nothing should happen to the tickets.
When the user logs back in, Windows should re-authenticate the user
to the KDC and therefore will obtain a new TGT and a host ticket
for the local machine.
Lara Adianto wrote:
> Hello,
>
> I have a win2k machine which is a member of MIT Realm.
> A user who has an account in the MIT Realm logs on
> using the win2k machine.
>
> Using klist, I can see there are two tickets:
> - 1 TGT, with the MIT KDC
> - 1 session ticket with the win2k machine
>
> What will happen when the user locks the machine ?
> Will he lose the tickets ?
>
> Based on my experiment, when the user locks the
> machine, and then unlocks it, AS-REQ and TGS-REQ are
> reinitiated (recorded in the log file of KDC).
> Logically, this means that klist will show new TGT and
> new session ticket.
>
> However, my observation shows that the session ticket
> with the win2k machine is the initial ticket (before
> locking the machine) !! The TGT is a new one. If the
> TGS-REQ is negotiated with the KDC, what happens with
> the new session ticket ? why can't I see it with klist
> ?
>
> Another doubt is about the logon process in windows
> machine. Does the user negotiate a KDC_AP_REQ with the
> windows machine upon AS-REQ and TGS-REQ with the KDC ?
>>From the windows 2000 white paper, it seems that only
> AS-REQ and TGS-REQ are required for a user to logs in
> into the windows machine...
>
> Hope somebody can help me to clear my doubts,
> lara
>
> =====
> ------------------------------------------------------------------------------------
> La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit
> - Guy de Maupassant -
> ------------------------------------------------------------------------------------
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
--
-----------------
This e-mail account is not read on a regular basis.
Please send private responses to jaltman at mit dot edu
More information about the Kerberos
mailing list