Mod_auth_kerb and Windows XP SP2
SriramG
sgopalan at etrade.com
Tue Apr 17 12:22:37 EDT 2007
Ok again this morning, I started to get prompted.
I unlocked my PC today. But it didn't renew my ticket.
Here is my klist (The site I am trying to access is
mychannele.corp.mycompany.com)
C:\Program Files\Resource Kit>date /t
Tue 04/17/2007
C:\Program Files\Resource Kit>time /t
09:14 AM
C:\Program Files\Resource Kit>klist tickets
Cached Tickets: (7)
Server: krbtgt/CORP.MYCOMPANY.COM at CORP.MYCOMPANY.COM
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 4/17/2007 11:10:58
Renew Time: 4/24/2007 1:10:58
Server: krbtgt/CORP.MYCOMPANY.COM at CORP.MYCOMPANY.COM
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 4/17/2007 11:10:58
Renew Time: 4/24/2007 1:10:58
Server: SFO1DC1$@CORP.MYCOMPANY.COM
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 4/17/2007 11:10:58
Renew Time: 4/24/2007 1:10:58
Server:
ldap/sfo1dc1.corp.mycompany.com/corp.mycompany.com at CORP.MYCOMPANY.COM
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 4/17/2007 11:10:58
Renew Time: 4/24/2007 1:10:58
Server: LXDM14545$@CORP.MYCOMPANY.COM
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 4/17/2007 11:10:58
Renew Time: 4/24/2007 1:10:58
Server: HTTP/mychannele.corp.mycompany.com at CORP.MYCOMPANY.COM
KerbTicket Encryption Type: Kerberos DES-CBC-MD5
End Time: 4/17/2007 11:10:58
Renew Time: 4/24/2007 1:10:58
Server: SFO1-GFS6LB1$@CORP.MYCOMPANY.COM
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 4/17/2007 11:10:58
Renew Time: 4/24/2007 1:10:58
C:\Program Files\Resource Kit>klist tgt
Cached TGT:
ServiceName: krbtgt
TargetName: krbtgt
FullServiceName: sgopalan
DomainName: CORP.MYCOMPANY.COM?
TargetDomainName: CORP.MYCOMPANY.COM?
AltTargetDomainName: CORP.MYCOMPANY.COM?
TicketFlags: 0x40e00000
KeyExpirationTime: 256/0/29920 0:103:8048
StartTime: 4/17/2007 1:10:58
EndTime: 4/17/2007 11:10:58
RenewUntil: 4/24/2007 1:10:58
TimeSkew: 4/24/2007 1:10:58
--Sriram
C:\Program Files\Resource Kit>
Michael B Allen wrote:
>
> On Mon, 16 Apr 2007 23:34:42 -0400
> "Gopalan, Sriram" <sgopalan at etrade.com> wrote:
>
>> Allen,
>>
>> Thanks for you response.
>> 1. I have seen auth dialog pops up on FF and IE after ctrl-alt-del (1
>> hour). But, its not consistant.
>> 2. If I leave my desktop idle for 10 mins, out corporate policy locks
>> the desktop, but it doesn't create a new ticket when I unlock it.
>> Not sure if that's controlled by GPO.
>> 3. For sure it creates a new TGT or renews the TGT when I manually lock
>> and unlock.
>
> This sounds like a completely different problem which has been discussed
> on the mod_auth_kerb list previously. And for which there was no
> resolution.
>
>> Next time when this happens I will run the klist and check the ticket
>> EndTime.
>>
>> I was able to confirmed that, if the server is IIS it switch to NTLM on
>> this scenario, where as mod_auth_kerb doesn't support NTLM.
>
> If you can reproduce the problem with IIS that sounds like precedence
> for requesting an explaination from MS.
>
>> Actually we are seeing the same sympotms as mentioned in the KB article.
>> http://support.microsoft.com/kb/885887
>> But the DLL version I have here is 5.1.2600.2698. Which is higher than
>> whats mentioned on the article.
>
> This sounds like a simple domain controller availability issue. Perhaps
> mod_auth_kerb or libkrb5 could benifit from some retry capability.
>
> Mike
>
>> -----Original Message-----
>> From: Michael B Allen [mailto:mba2000 at ioplex.com]
>> Sent: Monday, April 16, 2007 4:56 PM
>> To: Gopalan, Sriram
>> Cc: kerberos at mit.edu
>> Subject: Re: Mod_auth_kerb and Windows XP SP2
>>
>> > > On the kerbtray I can see a valid ticket (non-expired).
>> > > If the user locks the desktop(ctrl-alt-del) and unlocks it its
>> > > starts working fine again.
>>
>> The TGT is expiring. TGT tickets have a "cumulative ticket life" that is
>> limited by ticket renewal policy. When it expires the secret key is
>> required to get a new one (e.g. the password via ctrl-alt-del).
>>
>> Look at the Renew Until field in kerbtray. Note that kerbtray does not
>> update automatically. You must close it and relaunch it for it to update
>> the information. I think you'll find that the Renew Until time is about
>> 2 days.
>>
>> By default Windows will lock the desktop after a short time of
>> inactivity so you're seeing this problem because you have somehow
>> bypassed that policy. Or you have been working for two days straight in
>> which case you have bigger problems than Kerberos ticket renewal
>> policies - you need a new employer ;-)
>>
>> Mike
>>
>> --
>> Michael B Allen
>> PHP Active Directory Kerberos SSO
>> http://www.ioplex.com/
>>
>
>
> --
> Michael B Allen
> PHP Active Directory Kerberos SSO
> http://www.ioplex.com/
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
View this message in context: http://www.nabble.com/Mod_auth_kerb-and-Windows-XP-SP2-tf3586194.html#a10039103
Sent from the Kerberos - General mailing list archive at Nabble.com.
More information about the Kerberos
mailing list