What happens to TGT and tickets when user locks the windowsmachine

Lara Adianto m1r4cle_26 at yahoo.com
Sun Jul 4 22:57:55 EDT 2004


Thank you for the replies guys !

So in summary, windows will validate the password
entered by the user against the hash password, and
only if this is not successful then it will sends
AS-REQ & TGS-REQ to KDC ? 

OR

Both ways (validation against hash password and
validation with KDC) are done at the same time ?

I still don't understand why the TGT in my windows
machine is replaced with a new one from AS-REP while
the session ticket is not replaced....

Regards,
lara
  
--- "Richard B. Ward" <richardw at windows.microsoft.com>
wrote:
> 
> Once you log on to a windows box, the TGTs are
> cached, in memory, in the
> context of the LSASS process.  The tickets are
> nominally available for
> use by any process running as you, tracked by the
> logon session.  They
> are not tossed until you logoff; they are replaced
> as required by the
> lifespan and other considerations.  Service tickets
> are cached likewise,
> although they can be tossed more aggressively.
> 
> When you lock the windowstation and attempt an
> unlock, two separate
> paths can take place.  First, the common case, we
> validate your password
> against an in-memory hash of your logon password. 
> If that succeeds,
> then we let the user back into the system, but in
> the background, we do
> a real logon against the KDC for the user.  This
> lets us get a valid
> audit that the unlock took place.  If the password
> doesn't work against
> the in-memory hash, then we try a logon against the
> KDC with the new
> password.  If that works, then the user has changed
> the password from a
> different machine, and we do our best to adapt.
> 
> 
>  
> 
> -----Original Message-----
> From: kerberos-bounces at MIT.EDU
> [mailto:kerberos-bounces at MIT.EDU] On
> Behalf Of Jeffrey Altman
> Sent: Friday, July 02, 2004 10:58 AM
> To: kerberos at MIT.EDU
> Subject: Re: What happens to TGT and tickets when
> user locks the
> windowsmachine
> 
> Nothing should happen to the tickets.
> When the user logs back in, Windows should
> re-authenticate the user to
> the KDC and therefore will obtain a new TGT and a
> host ticket for the
> local machine.
> 
> 
> 
> Lara Adianto wrote:
> > Hello,
> > 
> > I have a win2k machine which is a member of MIT
> Realm.
> > A user who has an account in the MIT Realm logs on
> using the win2k 
> > machine.
> > 
> > Using klist, I can see there are two tickets:
> > - 1 TGT, with the MIT KDC
> > - 1 session ticket with the win2k machine
> > 
> > What will happen when the user locks the machine ?
> > Will he lose the tickets ?
> > 
> > Based on my experiment, when the user locks the
> machine, and then 
> > unlocks it, AS-REQ and TGS-REQ are reinitiated
> (recorded in the log 
> > file of KDC).
> > Logically, this means that klist will show new TGT
> and new session 
> > ticket.
> > 
> > However, my observation shows that the session
> ticket with the win2k 
> > machine is the initial ticket (before locking the
> machine) !! The TGT 
> > is a new one. If the TGS-REQ is negotiated with
> the KDC, what happens 
> > with the new session ticket ? why can't I see it
> with klist ?
> > 
> > Another doubt is about the logon process in
> windows machine. Does the 
> > user negotiate a KDC_AP_REQ with the windows
> machine upon AS-REQ and 
> > TGS-REQ with the KDC ?
> >>From the windows 2000 white paper, it seems that
> only
> > AS-REQ and TGS-REQ are required for a user to logs
> in into the windows
> 
> > machine...
> > 
> > Hope somebody can help me to clear my doubts, lara
> > 
> > =====
> >
>
----------------------------------------------------------------------
> > -------------- La vie, voyez-vous, ca n'est jamais
> si bon ni si 
> > mauvais qu'on croit
> >
> 
> > - Guy de Maupassant -
> >
>
----------------------------------------------------------------------
> > --------------
> > 
> > __________________________________________________
> > Do You Yahoo!?
> > Tired of spam?  Yahoo! Mail has the best spam
> protection around 
> > http://mail.yahoo.com
> ________________________________________________
> > Kerberos mailing list           Kerberos at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> > 
> 
> --
> -----------------
> This e-mail account is not read on a regular basis.
> Please send private responses to jaltman at mit dot
> edu
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 


=====
------------------------------------------------------------------------------------ 
La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit
                                                                        - Guy de Maupassant -
------------------------------------------------------------------------------------


		
__________________________________
Do you Yahoo!?
Yahoo! Mail is new and improved - Check it out!
http://promotions.yahoo.com/new_mail


More information about the Kerberos mailing list