stale credential issue

Greg Hudson ghudson at mit.edu
Tue Mar 8 14:34:22 EST 2016


On 03/08/2016 12:19 PM, Sean Garrett wrote:
> We run Kerberos 5

On a KDC, on clients, or on application servers?  By Kerberos 5, do you
mean MIT krb5, and if so, what version?

> and occasionally we have some Windows boxes (2008r2, 2012...)

Are you using Kerberos for Windows on these clients, or just native
Microsoft Kerberos?  If you're using the native Microsoft Kerberos, how
are you getting the clients to interoperate with an MIT krb5 KDC, if
that's what you are doing?

> that appear to hang on to old credentials after you change your password.

In the Kerberos model, changing your password does not invalidate
existing tickets.  However, if the Microsoft login system is saving the
password and using it to periodically get new tickets, a password change
would obviously interfere with that.  I unfortunately don't know enough
about the Microsoft login system to know whether it does that or how it
can be made to continue working after a password change.


More information about the Kerberos mailing list