MIT/Win2k/XP Kerberos trust relationship bug?
Brian Davidson
bdavids1 at gmu.edu
Tue Jul 13 13:42:40 EDT 2004
Hi,
I saw this question in the archives (May 4, 2002), but with no
responses. We're running into this issue, and I was wondering if there
was any workaround [yet]?
The configuration - MIT KDC is "primary" KDC, and Windows AD KDC trusts
the MIT KDC.
The problem:
1. From an XP workstation which a member of the AD, authenticate
against the MIT realm
2. Lock the workstation
3. Unlock the workstation
At this point, you've lost virtually all of your tickets, and you can't
access resources in the AD. I haven't found any patches, but maybe I
don't know the secret code word to put into the Microsoft
Knowledgebase, or Google.
Based on packet traces, I'm convinced it's a Windows 2000/XP bug. It's
the workstation which forgets its tickets, and then neglects to ask for
new ones.
If there isn't a fix available, I guess I'll write a GINA which acts as
a pass-through to the default GINA for all GINA functions except for
WlxWkstaLockedSAS(). I'm assuming it's dumping the tickets when
WlxWkstaLockedSAS acquires a new TGT from the MIT realm...
Thanks for any help,
Brian Davidson
George Mason University
More information about the Kerberos
mailing list