Thoughts on long-lived credentials
Phil Pishioneri
pgp at psu.edu
Mon Jan 23 10:01:45 EST 2006
On 2006/1/19 3:06 PM, Luke Howard wrote:
>> Windows does this I think. In fact I seem to recall that for at
>> least some versions of Windows it doesn't even bother trying to renew
>> the tickets and just always uses the stored key.
>>
> Unfortunately I never leave my Windows workstation unlocked for long
> enough to verify this. But, given the NT OWF is present in memory to
> support NTLM clients, it makes sense to use this for Kerberos too if
> rc4-hmac is supported. Maybe someone from Microsoft can confirm.
>
I'm not from Microsoft, but from their web page "How the Kerberos
Version 5 Authentication Protocol Works: Logon and Authentication"
<http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/7cb7e9f7-2090-4c88-8d14-270c749fddb5.mspx>
> The LSA also keeps a copy of an interactive user’s hashed password. If
> the user's TGT expires during a logon session, the Kerberos SSP uses
> the LSA’s copy of the hashed password to obtain a new TGT without
> interrupting the user's logon session. The password is not stored
> permanently on the computer, and the local copy of the hashed password
> is destroyed when the user's logon session is destroyed.
-Phil
More information about the Kerberos
mailing list