Mod_auth_kerb and Windows XP SP2
Michael B Allen
mba2000 at ioplex.com
Tue Apr 17 03:33:49 EDT 2007
On Mon, 16 Apr 2007 23:34:42 -0400
"Gopalan, Sriram" <sgopalan at etrade.com> wrote:
> Allen,
>
> Thanks for you response.
> 1. I have seen auth dialog pops up on FF and IE after ctrl-alt-del (1
> hour). But, its not consistant.
> 2. If I leave my desktop idle for 10 mins, out corporate policy locks
> the desktop, but it doesn't create a new ticket when I unlock it.
> Not sure if that's controlled by GPO.
> 3. For sure it creates a new TGT or renews the TGT when I manually lock
> and unlock.
This sounds like a completely different problem which has been discussed
on the mod_auth_kerb list previously. And for which there was no
resolution.
> Next time when this happens I will run the klist and check the ticket
> EndTime.
>
> I was able to confirmed that, if the server is IIS it switch to NTLM on
> this scenario, where as mod_auth_kerb doesn't support NTLM.
If you can reproduce the problem with IIS that sounds like precedence
for requesting an explaination from MS.
> Actually we are seeing the same sympotms as mentioned in the KB article.
> http://support.microsoft.com/kb/885887
> But the DLL version I have here is 5.1.2600.2698. Which is higher than
> whats mentioned on the article.
This sounds like a simple domain controller availability issue. Perhaps
mod_auth_kerb or libkrb5 could benifit from some retry capability.
Mike
> -----Original Message-----
> From: Michael B Allen [mailto:mba2000 at ioplex.com]
> Sent: Monday, April 16, 2007 4:56 PM
> To: Gopalan, Sriram
> Cc: kerberos at mit.edu
> Subject: Re: Mod_auth_kerb and Windows XP SP2
>
> > > On the kerbtray I can see a valid ticket (non-expired).
> > > If the user locks the desktop(ctrl-alt-del) and unlocks it its
> > > starts working fine again.
>
> The TGT is expiring. TGT tickets have a "cumulative ticket life" that is
> limited by ticket renewal policy. When it expires the secret key is
> required to get a new one (e.g. the password via ctrl-alt-del).
>
> Look at the Renew Until field in kerbtray. Note that kerbtray does not
> update automatically. You must close it and relaunch it for it to update
> the information. I think you'll find that the Renew Until time is about
> 2 days.
>
> By default Windows will lock the desktop after a short time of
> inactivity so you're seeing this problem because you have somehow
> bypassed that policy. Or you have been working for two days straight in
> which case you have bigger problems than Kerberos ticket renewal
> policies - you need a new employer ;-)
>
> Mike
>
> --
> Michael B Allen
> PHP Active Directory Kerberos SSO
> http://www.ioplex.com/
>
--
Michael B Allen
PHP Active Directory Kerberos SSO
http://www.ioplex.com/
More information about the Kerberos
mailing list