What happens to TGT and tickets when user locks the windows machine

Jeffrey Altman jaltman2 at nyc.rr.com
Fri Jul 2 13:58:17 EDT 2004


Nothing should happen to the tickets.
When the user logs back in, Windows should re-authenticate the user
to the KDC and therefore will obtain a new TGT and a host ticket
for the local machine.



Lara Adianto wrote:
> Hello,
> 
> I have a win2k machine which is a member of MIT Realm.
> A user who has an account in the MIT Realm logs on
> using the win2k machine. 
> 
> Using klist, I can see there are two tickets:
> - 1 TGT, with the MIT KDC
> - 1 session ticket with the win2k machine
> 
> What will happen when the user locks the machine ?
> Will he lose the tickets ?
> 
> Based on my experiment, when the user locks the
> machine, and then unlocks it, AS-REQ and TGS-REQ are
> reinitiated (recorded in the log file of KDC). 
> Logically, this means that klist will show new TGT and
> new session ticket.
> 
> However, my observation shows that the session ticket
> with the win2k machine is the initial ticket (before
> locking the machine) !! The TGT is a new one. If the
> TGS-REQ is negotiated with the KDC, what happens with
> the new session ticket ? why can't I see it with klist
> ?
> 
> Another doubt is about the logon process in windows
> machine. Does the user negotiate a KDC_AP_REQ with the
> windows machine upon AS-REQ and TGS-REQ with the KDC ?
>>From the windows 2000 white paper, it seems that only
> AS-REQ and TGS-REQ are required for a user to logs in
> into the windows machine...
> 
> Hope somebody can help me to clear my doubts,
> lara 
> 
> =====
> ------------------------------------------------------------------------------------ 
> La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit
>                                                                         - Guy de Maupassant -
> ------------------------------------------------------------------------------------
> 
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around 
> http://mail.yahoo.com 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 

-- 
-----------------
This e-mail account is not read on a regular basis.
Please send private responses to jaltman at mit dot edu


More information about the Kerberos mailing list