TGT lifetime during delegation
t3st0re@gmail.com
t3st0re at gmail.com
Fri Sep 22 12:23:38 EDT 2006
I want to allow an application server to impersonate other users by a
limited time.
I know that on win2000 the application server obtains the kerberos TGT
during delegation. win2003 allows also constrained delegation, and I
would use that model if it's possible.
I'm thinking on setting the kerberos server to issue tickets with
reduced lifetime (by setting MaxServiceTicketAge and MaxTicketAge to 20
minutes for example), but I'm not sure if it would work, as I'm not
sure if the TGT isn't renewed automatically on the application server
before it expires.
More information about the Kerberos
mailing list