Mod_auth_kerb and Windows XP SP2

SriramG sgopalan at etrade.com
Mon Apr 16 23:34:36 EDT 2007


Allen,

Thanks for you response.
1. I have seen auth dialog pops up on FF and IE after ctrl-alt-del (1 hour).
But, its not consistent. 
2. If I leave my desktop idle for 10 mins, out corporate policy locks the
desktop, but it doesn’t create a new ticket when I unlock it. 
   Not sure if that’s controlled by GPO.
3. For sure it creates a new TGT or renews the TGT when I manually lock and
unlock.

Next time when this happens I will run the klist and check the ticket
EndTime.

I was able to confirmed that, if the server is IIS it switch to NTLM on this
scenario, where as mod_auth_kerb doesn’t support NTLM.

Actually we are seeing the same symptoms as mentioned in the KB article.
http://support.microsoft.com/kb/885887
But the DLL version I have here is 5.1.2600.2698. Which is higher than whats
mentioned on the article.

--Sriram


Michael B Allen wrote:
> 
>> > On the kerbtray I can see a valid ticket (non-expired).
>> > If the user locks the desktop(ctrl-alt-del) and unlocks it its starts
>> > working fine again.
> 
> The TGT is expiring. TGT tickets have a "cumulative ticket life" that
> is limited by ticket renewal policy. When it expires the secret key is
> required to get a new one (e.g. the password via ctrl-alt-del).
> 
> Look at the Renew Until field in kerbtray. Note that kerbtray does not
> update automatically. You must close it and relaunch it for it to update
> the information. I think you'll find that the Renew Until time is about
> 2 days.
> 
> By default Windows will lock the desktop after a short time of inactivity
> so you're seeing this problem because you have somehow bypassed that
> policy. Or you have been working for two days straight in which case
> you have bigger problems than Kerberos ticket renewal policies - you
> need a new employer ;-)
> 
> Mike
> 
> --
> Michael B Allen
> PHP Active Directory Kerberos SSO
> http://www.ioplex.com/
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 
View this message in context: http://www.nabble.com/Mod_auth_kerb-and-Windows-XP-SP2-tf3586194.html#a10028733
Sent from the Kerberos - General mailing list archive at Nabble.com.





More information about the Kerberos mailing list