Mod_auth_kerb and Windows XP SP2

SriramG sgopalan at etrade.com
Tue May 1 22:08:05 EDT 2007 

Just wanted to update back, if anyone ends up with this issue.

We contacted MS they provided a hotfix as mentioned on the KB

http://support.microsoft.com/kb/906524/en-us

We have installed in 3 desktops. No more authentication prompts. It works
every single time. No issues so far (10 days). I haven't rebooted or logged
off the desktop yet in the last 10 days. I just lockout the desktop when I
am not using it. 
 
We are planning to push this to 100+ desktops next week. Will post back the
results.

--Sriram



SriramG wrote:
> 
> Allen,
> 
> Thanks for you response.
> 1. I have seen auth dialog pops up on FF and IE after ctrl-alt-del (1
> hour). But, its not consistent. 
> 2. If I leave my desktop idle for 10 mins, out corporate policy locks the
> desktop, but it doesn’t create a new ticket when I unlock it. 
>    Not sure if that’s controlled by GPO.
> 3. For sure it creates a new TGT or renews the TGT when I manually lock
> and unlock.
> 
> Next time when this happens I will run the klist and check the ticket
> EndTime.
> 
> I was able to confirmed that, if the server is IIS it switch to NTLM on
> this scenario, where as mod_auth_kerb doesn’t support NTLM.
> 
> Actually we are seeing the same symptoms as mentioned in the KB article.
> http://support.microsoft.com/kb/885887
> But the DLL version I have here is 5.1.2600.2698. Which is higher than
> whats mentioned on the article.
> 
> --Sriram
> 
> 
> Michael B Allen wrote:
>> 
>>> > On the kerbtray I can see a valid ticket (non-expired).
>>> > If the user locks the desktop(ctrl-alt-del) and unlocks it its starts
>>> > working fine again.
>> 
>> The TGT is expiring. TGT tickets have a "cumulative ticket life" that
>> is limited by ticket renewal policy. When it expires the secret key is
>> required to get a new one (e.g. the password via ctrl-alt-del).
>> 
>> Look at the Renew Until field in kerbtray. Note that kerbtray does not
>> update automatically. You must close it and relaunch it for it to update
>> the information. I think you'll find that the Renew Until time is about
>> 2 days.
>> 
>> By default Windows will lock the desktop after a short time of inactivity
>> so you're seeing this problem because you have somehow bypassed that
>> policy. Or you have been working for two days straight in which case
>> you have bigger problems than Kerberos ticket renewal policies - you
>> need a new employer ;-)
>> 
>> Mike
>> 
>> --
>> Michael B Allen
>> PHP Active Directory Kerberos SSO
>> http://www.ioplex.com/
>> ________________________________________________
>> Kerberos mailing list           Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>> 
>> 
> 
> 

-- 
View this message in context: http://www.nabble.com/Mod_auth_kerb-and-Windows-XP-SP2-tf3586194.html#a10279081
Sent from the Kerberos - General mailing list archive at Nabble.com.

More information about the Kerberos mailing list