Mod_auth_kerb and Windows XP SP2
SriramG
sgopalan at etrade.com
Mon Apr 16 23:34:36 EDT 2007
Allen,
Thanks for you response.
1. I have seen auth dialog pops up on FF and IE after ctrl-alt-del (1 hour).
But, its not consistent.
2. If I leave my desktop idle for 10 mins, out corporate policy locks the
desktop, but it doesn’t create a new ticket when I unlock it.
Not sure if that’s controlled by GPO.
3. For sure it creates a new TGT or renews the TGT when I manually lock and
unlock.
Next time when this happens I will run the klist and check the ticket
EndTime.
I was able to confirmed that, if the server is IIS it switch to NTLM on this
scenario, where as mod_auth_kerb doesn’t support NTLM.
Actually we are seeing the same symptoms as mentioned in the KB article.
http://support.microsoft.com/kb/885887
But the DLL version I have here is 5.1.2600.2698. Which is higher than whats
mentioned on the article.
--Sriram
Michael B Allen wrote:
>
>> > On the kerbtray I can see a valid ticket (non-expired).
>> > If the user locks the desktop(ctrl-alt-del) and unlocks it its starts
>> > working fine again.
>
> The TGT is expiring. TGT tickets have a "cumulative ticket life" that
> is limited by ticket renewal policy. When it expires the secret key is
> required to get a new one (e.g. the password via ctrl-alt-del).
>
> Look at the Renew Until field in kerbtray. Note that kerbtray does not
> update automatically. You must close it and relaunch it for it to update
> the information. I think you'll find that the Renew Until time is about
> 2 days.
>
> By default Windows will lock the desktop after a short time of inactivity
> so you're seeing this problem because you have somehow bypassed that
> policy. Or you have been working for two days straight in which case
> you have bigger problems than Kerberos ticket renewal policies - you
> need a new employer ;-)
>
> Mike
>
> --
> Michael B Allen
> PHP Active Directory Kerberos SSO
> http://www.ioplex.com/
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
View this message in context: http://www.nabble.com/Mod_auth_kerb-and-Windows-XP-SP2-tf3586194.html#a10028733
Sent from the Kerberos - General mailing list archive at Nabble.com.
More information about the Kerberos
mailing list