Mod_auth_kerb and Windows XP SP2

Gopalan, Sriram sgopalan at etrade.com
Mon Apr 16 23:34:42 EDT 2007


Allen,

Thanks for you response.
1. I have seen auth dialog pops up on FF and IE after ctrl-alt-del (1
hour). But, its not consistant. 
2. If I leave my desktop idle for 10 mins, out corporate policy locks
the desktop, but it doesn't create a new ticket when I unlock it. 
   Not sure if that's controlled by GPO.
3. For sure it creates a new TGT or renews the TGT when I manually lock
and unlock.

Next time when this happens I will run the klist and check the ticket
EndTime.

I was able to confirmed that, if the server is IIS it switch to NTLM on
this scenario, where as mod_auth_kerb doesn't support NTLM.

Actually we are seeing the same sympotms as mentioned in the KB article.
http://support.microsoft.com/kb/885887
But the DLL version I have here is 5.1.2600.2698. Which is higher than
whats mentioned on the article.

--Sriram

-----Original Message-----
From: Michael B Allen [mailto:mba2000 at ioplex.com] 
Sent: Monday, April 16, 2007 4:56 PM
To: Gopalan, Sriram
Cc: kerberos at mit.edu
Subject: Re: Mod_auth_kerb and Windows XP SP2

> > On the kerbtray I can see a valid ticket (non-expired).
> > If the user locks the desktop(ctrl-alt-del) and unlocks it its 
> > starts working fine again.

The TGT is expiring. TGT tickets have a "cumulative ticket life" that is
limited by ticket renewal policy. When it expires the secret key is
required to get a new one (e.g. the password via ctrl-alt-del).

Look at the Renew Until field in kerbtray. Note that kerbtray does not
update automatically. You must close it and relaunch it for it to update
the information. I think you'll find that the Renew Until time is about
2 days.

By default Windows will lock the desktop after a short time of
inactivity so you're seeing this problem because you have somehow
bypassed that policy. Or you have been working for two days straight in
which case you have bigger problems than Kerberos ticket renewal
policies - you need a new employer ;-)

Mike

--
Michael B Allen
PHP Active Directory Kerberos SSO
http://www.ioplex.com/




More information about the Kerberos mailing list