MIT/Win2k/XP Kerberos trust relationship bug?

Brian Davidson bdavids1 at gmu.edu
Tue Jul 13 13:42:40 EDT 2004


Hi,

I saw this question in the archives (May 4, 2002), but with no 
responses.  We're running into this issue, and I was wondering if there 
was any workaround [yet]?

The configuration - MIT KDC is "primary" KDC, and Windows AD KDC trusts 
the MIT KDC.

The problem:
1. From an XP workstation which a member of the AD, authenticate 
against the MIT realm
2. Lock the workstation
3. Unlock the workstation

At this point, you've lost virtually all of your tickets, and you can't 
access resources in the AD.  I haven't found any patches, but maybe I 
don't know the secret code word to put into the Microsoft 
Knowledgebase, or Google.

Based on packet traces, I'm convinced it's a Windows 2000/XP bug.  It's 
the workstation which forgets its tickets, and then neglects to ask for 
new ones.

If there isn't a fix available, I guess I'll write a GINA which acts as 
a pass-through to the default GINA for all GINA functions except for 
WlxWkstaLockedSAS().  I'm assuming it's dumping the tickets when 
WlxWkstaLockedSAS acquires a new TGT from the MIT realm...

Thanks for any help,

Brian Davidson
George Mason University



More information about the Kerberos mailing list