What happens to TGT and tickets when user locks the windows machine

Lara Adianto m1r4cle_26 at yahoo.com
Wed Jun 30 05:04:28 EDT 2004


I have a win2k machine which is a member of MIT Realm.
A user who has an account in the MIT Realm logs on
using the win2k machine. 

Using klist, I can see there are two tickets:
- 1 TGT, with the MIT KDC
- 1 session ticket with the win2k machine

What will happen when the user locks the machine ?
Will he lose the tickets ?

Based on my experiment, when the user locks the
machine, and then unlocks it, AS-REQ and TGS-REQ are
reinitiated (recorded in the log file of KDC). 
Logically, this means that klist will show new TGT and
new session ticket.

However, my observation shows that the session ticket
with the win2k machine is the initial ticket (before
locking the machine) !! The TGT is a new one. If the
TGS-REQ is negotiated with the KDC, what happens with
the new session ticket ? why can't I see it with klist

Another doubt is about the logon process in windows
machine. Does the user negotiate a KDC_AP_REQ with the
windows machine upon AS-REQ and TGS-REQ with the KDC ?
>From the windows 2000 white paper, it seems that only
AS-REQ and TGS-REQ are required for a user to logs in
into the windows machine...

Hope somebody can help me to clear my doubts,

La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit
                                                                        - Guy de Maupassant -

Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 

More information about the Kerberos mailing list