Mod_auth_kerb and Windows XP SP2
sgopalan at etrade.com
Tue May 1 22:08:05 EDT 2007
Just wanted to update back, if anyone ends up with this issue.
We contacted MS they provided a hotfix as mentioned on the KB
We have installed in 3 desktops. No more authentication prompts. It works
every single time. No issues so far (10 days). I haven't rebooted or logged
off the desktop yet in the last 10 days. I just lockout the desktop when I
am not using it.
We are planning to push this to 100+ desktops next week. Will post back the
> Thanks for you response.
> 1. I have seen auth dialog pops up on FF and IE after ctrl-alt-del (1
> hour). But, its not consistent.
> 2. If I leave my desktop idle for 10 mins, out corporate policy locks the
> desktop, but it doesn’t create a new ticket when I unlock it.
> Not sure if that’s controlled by GPO.
> 3. For sure it creates a new TGT or renews the TGT when I manually lock
> and unlock.
> Next time when this happens I will run the klist and check the ticket
> I was able to confirmed that, if the server is IIS it switch to NTLM on
> this scenario, where as mod_auth_kerb doesn’t support NTLM.
> Actually we are seeing the same symptoms as mentioned in the KB article.
> But the DLL version I have here is 5.1.2600.2698. Which is higher than
> whats mentioned on the article.
> Michael B Allen wrote:
>>> > On the kerbtray I can see a valid ticket (non-expired).
>>> > If the user locks the desktop(ctrl-alt-del) and unlocks it its starts
>>> > working fine again.
>> The TGT is expiring. TGT tickets have a "cumulative ticket life" that
>> is limited by ticket renewal policy. When it expires the secret key is
>> required to get a new one (e.g. the password via ctrl-alt-del).
>> Look at the Renew Until field in kerbtray. Note that kerbtray does not
>> update automatically. You must close it and relaunch it for it to update
>> the information. I think you'll find that the Renew Until time is about
>> 2 days.
>> By default Windows will lock the desktop after a short time of inactivity
>> so you're seeing this problem because you have somehow bypassed that
>> policy. Or you have been working for two days straight in which case
>> you have bigger problems than Kerberos ticket renewal policies - you
>> need a new employer ;-)
>> Michael B Allen
>> PHP Active Directory Kerberos SSO
>> Kerberos mailing list Kerberos at mit.edu
View this message in context: http://www.nabble.com/Mod_auth_kerb-and-Windows-XP-SP2-tf3586194.html#a10279081
Sent from the Kerberos - General mailing list archive at Nabble.com.
More information about the Kerberos