Thoughts on long-lived credentials

Luke Howard lukeh at padl.com
Thu Jan 19 15:06:00 EST 2006


>1) Auto-renewal mechanism tied to a specific ccache type won't work  
>for other types of caches.

Right, we made this "mistake" with KCM. Oh well!

>Windows does this I think.  In fact I seem to recall that for at  
>least some versions of Windows it doesn't even bother trying to renew  
>the tickets and just always uses the stored key.

Unfortunately I never leave my Windows workstation unlocked for long
enough to verify this. But, given the NT OWF is present in memory to
support NTLM clients, it makes sense to use this for Kerberos too if
rc4-hmac is supported. Maybe someone from Microsoft can confirm.

(Still, I think in the end we don't want to implement this approach,
for the reasons pointed out in my initial e-mail, and Doug's.)



cheers,

-- Luke

--



More information about the Kerberos mailing list