longer ticket life vs auto renew
Nico Williams
nico at cryptonector.com
Tue Aug 14 11:47:42 EDT 2012
On Mon, Aug 13, 2012 at 7:05 AM, Mark Pröhl <mark at mproehl.net> wrote:
> if a ticket has been issued to the client, the KDC cannot revoke that
> ticket, even if the client is deleted or disabled. But if the client
> needs to do a renew request from time to time, the KDC might not issue
> new tickets if the client is deleted or disabled.
A few remarks regarding revocation:
- For same realm client and service the TGS should check that the
client principal is still valid.
- For x-realm tickets the most reasonable thing to do may be to
shorten ticket life.
Nico
--
More information about the Kerberos
mailing list