Mod_auth_kerb and Windows XP SP2

SriramG sgopalan at etrade.com
Tue Apr 17 12:22:37 EDT 2007


Ok again this morning, I started to get prompted. 
I unlocked my PC today. But it didn't renew my ticket. 

Here is my klist (The site I am trying to access is
mychannele.corp.mycompany.com)

C:\Program Files\Resource Kit>date /t
Tue 04/17/2007

C:\Program Files\Resource Kit>time /t
09:14 AM

C:\Program Files\Resource Kit>klist tickets

Cached Tickets: (7)

   Server: krbtgt/CORP.MYCOMPANY.COM at CORP.MYCOMPANY.COM
      KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
      End Time: 4/17/2007 11:10:58
      Renew Time: 4/24/2007 1:10:58


   Server: krbtgt/CORP.MYCOMPANY.COM at CORP.MYCOMPANY.COM
      KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
      End Time: 4/17/2007 11:10:58
      Renew Time: 4/24/2007 1:10:58


   Server: SFO1DC1$@CORP.MYCOMPANY.COM
      KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
      End Time: 4/17/2007 11:10:58
      Renew Time: 4/24/2007 1:10:58


   Server:
ldap/sfo1dc1.corp.mycompany.com/corp.mycompany.com at CORP.MYCOMPANY.COM
      KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
      End Time: 4/17/2007 11:10:58
      Renew Time: 4/24/2007 1:10:58


   Server: LXDM14545$@CORP.MYCOMPANY.COM
      KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
      End Time: 4/17/2007 11:10:58
      Renew Time: 4/24/2007 1:10:58


   Server: HTTP/mychannele.corp.mycompany.com at CORP.MYCOMPANY.COM
      KerbTicket Encryption Type: Kerberos DES-CBC-MD5
      End Time: 4/17/2007 11:10:58
      Renew Time: 4/24/2007 1:10:58


   Server: SFO1-GFS6LB1$@CORP.MYCOMPANY.COM
      KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
      End Time: 4/17/2007 11:10:58
      Renew Time: 4/24/2007 1:10:58


C:\Program Files\Resource Kit>klist tgt

Cached TGT:

ServiceName: krbtgt
TargetName: krbtgt
FullServiceName: sgopalan
DomainName: CORP.MYCOMPANY.COM?
TargetDomainName: CORP.MYCOMPANY.COM?
AltTargetDomainName: CORP.MYCOMPANY.COM?
TicketFlags: 0x40e00000
KeyExpirationTime: 256/0/29920 0:103:8048
StartTime: 4/17/2007 1:10:58
EndTime: 4/17/2007 11:10:58
RenewUntil: 4/24/2007 1:10:58
TimeSkew: 4/24/2007 1:10:58


--Sriram

C:\Program Files\Resource Kit>

Michael B Allen wrote:
> 
> On Mon, 16 Apr 2007 23:34:42 -0400
> "Gopalan, Sriram" <sgopalan at etrade.com> wrote:
> 
>> Allen,
>> 
>> Thanks for you response.
>> 1. I have seen auth dialog pops up on FF and IE after ctrl-alt-del (1
>> hour). But, its not consistant. 
>> 2. If I leave my desktop idle for 10 mins, out corporate policy locks
>> the desktop, but it doesn't create a new ticket when I unlock it. 
>>    Not sure if that's controlled by GPO.
>> 3. For sure it creates a new TGT or renews the TGT when I manually lock
>> and unlock.
> 
> This sounds like a completely different problem which has been discussed
> on the mod_auth_kerb list previously. And for which there was no
> resolution.
> 
>> Next time when this happens I will run the klist and check the ticket
>> EndTime.
>> 
>> I was able to confirmed that, if the server is IIS it switch to NTLM on
>> this scenario, where as mod_auth_kerb doesn't support NTLM.
> 
> If you can reproduce the problem with IIS that sounds like precedence
> for requesting an explaination from MS.
> 
>> Actually we are seeing the same sympotms as mentioned in the KB article.
>> http://support.microsoft.com/kb/885887
>> But the DLL version I have here is 5.1.2600.2698. Which is higher than
>> whats mentioned on the article.
> 
> This sounds like a simple domain controller availability issue. Perhaps
> mod_auth_kerb or libkrb5 could benifit from some retry capability.
> 
> Mike
> 
>> -----Original Message-----
>> From: Michael B Allen [mailto:mba2000 at ioplex.com] 
>> Sent: Monday, April 16, 2007 4:56 PM
>> To: Gopalan, Sriram
>> Cc: kerberos at mit.edu
>> Subject: Re: Mod_auth_kerb and Windows XP SP2
>> 
>> > > On the kerbtray I can see a valid ticket (non-expired).
>> > > If the user locks the desktop(ctrl-alt-del) and unlocks it its 
>> > > starts working fine again.
>> 
>> The TGT is expiring. TGT tickets have a "cumulative ticket life" that is
>> limited by ticket renewal policy. When it expires the secret key is
>> required to get a new one (e.g. the password via ctrl-alt-del).
>> 
>> Look at the Renew Until field in kerbtray. Note that kerbtray does not
>> update automatically. You must close it and relaunch it for it to update
>> the information. I think you'll find that the Renew Until time is about
>> 2 days.
>> 
>> By default Windows will lock the desktop after a short time of
>> inactivity so you're seeing this problem because you have somehow
>> bypassed that policy. Or you have been working for two days straight in
>> which case you have bigger problems than Kerberos ticket renewal
>> policies - you need a new employer ;-)
>> 
>> Mike
>> 
>> --
>> Michael B Allen
>> PHP Active Directory Kerberos SSO
>> http://www.ioplex.com/
>> 
> 
> 
> -- 
> Michael B Allen
> PHP Active Directory Kerberos SSO
> http://www.ioplex.com/
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 
View this message in context: http://www.nabble.com/Mod_auth_kerb-and-Windows-XP-SP2-tf3586194.html#a10039103
Sent from the Kerberos - General mailing list archive at Nabble.com.




More information about the Kerberos mailing list