Thoughts on long-lived credentials

Phil Pishioneri pgp at psu.edu
Mon Jan 23 10:01:45 EST 2006


On 2006/1/19 3:06 PM, Luke Howard wrote:
>> Windows does this I think.  In fact I seem to recall that for at  
>> least some versions of Windows it doesn't even bother trying to renew  
>> the tickets and just always uses the stored key.
>>     
> Unfortunately I never leave my Windows workstation unlocked for long
> enough to verify this. But, given the NT OWF is present in memory to
> support NTLM clients, it makes sense to use this for Kerberos too if
> rc4-hmac is supported. Maybe someone from Microsoft can confirm.
>   


I'm not from Microsoft, but from their web page "How the Kerberos 
Version 5 Authentication Protocol Works: Logon and Authentication"

<http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/7cb7e9f7-2090-4c88-8d14-270c749fddb5.mspx>

> The LSA also keeps a copy of an interactive user’s hashed password. If 
> the user's TGT expires during a logon session, the Kerberos SSP uses 
> the LSA’s copy of the hashed password to obtain a new TGT without 
> interrupting the user's logon session. The password is not stored 
> permanently on the computer, and the local copy of the hashed password 
> is destroyed when the user's logon session is destroyed.

-Phil



More information about the Kerberos mailing list