Mod_auth_kerb and Windows XP SP2

Michael B Allen mba2000 at ioplex.com
Mon Apr 16 19:56:03 EDT 2007


> > On the kerbtray I can see a valid ticket (non-expired).
> > If the user locks the desktop(ctrl-alt-del) and unlocks it its starts
> > working fine again.

The TGT is expiring. TGT tickets have a "cumulative ticket life" that
is limited by ticket renewal policy. When it expires the secret key is
required to get a new one (e.g. the password via ctrl-alt-del).

Look at the Renew Until field in kerbtray. Note that kerbtray does not
update automatically. You must close it and relaunch it for it to update
the information. I think you'll find that the Renew Until time is about
2 days.

By default Windows will lock the desktop after a short time of inactivity
so you're seeing this problem because you have somehow bypassed that
policy. Or you have been working for two days straight in which case
you have bigger problems than Kerberos ticket renewal policies - you
need a new employer ;-)

Mike

--
Michael B Allen
PHP Active Directory Kerberos SSO
http://www.ioplex.com/



More information about the Kerberos mailing list