MIT/Win2k/XP Kerberos trust relationship bug?
Jeffrey Altman
jaltman2 at nyc.rr.com
Tue Jul 13 15:45:21 EDT 2004
Windows obtains tickets on an as needed basis.
It should not matter whether or not the tickets are purged from the cache.
What are you attempting to do that is failing?
Jeffrey Altman
Brian Davidson wrote:
> Hi,
>
> I saw this question in the archives (May 4, 2002), but with no
> responses. We're running into this issue, and I was wondering if there
> was any workaround [yet]?
>
> The configuration - MIT KDC is "primary" KDC, and Windows AD KDC trusts
> the MIT KDC.
>
> The problem:
> 1. From an XP workstation which a member of the AD, authenticate against
> the MIT realm
> 2. Lock the workstation
> 3. Unlock the workstation
>
> At this point, you've lost virtually all of your tickets, and you can't
> access resources in the AD. I haven't found any patches, but maybe I
> don't know the secret code word to put into the Microsoft Knowledgebase,
> or Google.
>
> Based on packet traces, I'm convinced it's a Windows 2000/XP bug. It's
> the workstation which forgets its tickets, and then neglects to ask for
> new ones.
>
> If there isn't a fix available, I guess I'll write a GINA which acts as
> a pass-through to the default GINA for all GINA functions except for
> WlxWkstaLockedSAS(). I'm assuming it's dumping the tickets when
> WlxWkstaLockedSAS acquires a new TGT from the MIT realm...
>
> Thanks for any help,
>
> Brian Davidson
> George Mason University
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
--
-----------------
This e-mail account is not read on a regular basis.
Please send private responses to jaltman at mit dot edu
More information about the Kerberos
mailing list