Mod_auth_kerb and Windows XP SP2

Michael B Allen mba2000 at ioplex.com
Tue Apr 17 03:33:49 EDT 2007 

On Mon, 16 Apr 2007 23:34:42 -0400
"Gopalan, Sriram" <sgopalan at etrade.com> wrote:

> Allen,
> 
> Thanks for you response.
> 1. I have seen auth dialog pops up on FF and IE after ctrl-alt-del (1
> hour). But, its not consistant. 
> 2. If I leave my desktop idle for 10 mins, out corporate policy locks
> the desktop, but it doesn't create a new ticket when I unlock it. 
>    Not sure if that's controlled by GPO.
> 3. For sure it creates a new TGT or renews the TGT when I manually lock
> and unlock.

This sounds like a completely different problem which has been discussed
on the mod_auth_kerb list previously. And for which there was no
resolution.

> Next time when this happens I will run the klist and check the ticket
> EndTime.
> 
> I was able to confirmed that, if the server is IIS it switch to NTLM on
> this scenario, where as mod_auth_kerb doesn't support NTLM.

If you can reproduce the problem with IIS that sounds like precedence
for requesting an explaination from MS.

> Actually we are seeing the same sympotms as mentioned in the KB article.
> http://support.microsoft.com/kb/885887
> But the DLL version I have here is 5.1.2600.2698. Which is higher than
> whats mentioned on the article.

This sounds like a simple domain controller availability issue. Perhaps
mod_auth_kerb or libkrb5 could benifit from some retry capability.

Mike

> -----Original Message-----
> From: Michael B Allen [mailto:mba2000 at ioplex.com] 
> Sent: Monday, April 16, 2007 4:56 PM
> To: Gopalan, Sriram
> Cc: kerberos at mit.edu
> Subject: Re: Mod_auth_kerb and Windows XP SP2
> 
> > > On the kerbtray I can see a valid ticket (non-expired).
> > > If the user locks the desktop(ctrl-alt-del) and unlocks it its 
> > > starts working fine again.
> 
> The TGT is expiring. TGT tickets have a "cumulative ticket life" that is
> limited by ticket renewal policy. When it expires the secret key is
> required to get a new one (e.g. the password via ctrl-alt-del).
> 
> Look at the Renew Until field in kerbtray. Note that kerbtray does not
> update automatically. You must close it and relaunch it for it to update
> the information. I think you'll find that the Renew Until time is about
> 2 days.
> 
> By default Windows will lock the desktop after a short time of
> inactivity so you're seeing this problem because you have somehow
> bypassed that policy. Or you have been working for two days straight in
> which case you have bigger problems than Kerberos ticket renewal
> policies - you need a new employer ;-)
> 
> Mike
> 
> --
> Michael B Allen
> PHP Active Directory Kerberos SSO
> http://www.ioplex.com/
> 


-- 
Michael B Allen
PHP Active Directory Kerberos SSO
http://www.ioplex.com/

More information about the Kerberos mailing list