stale credential issue

Sean Garrett SEAN.GARRETT at asu.edu
Tue Mar 8 15:15:50 EST 2016 

1. Windows app RDP servers, so a client so to speak. MIT krb5.
2. Followed the instructions at MIT site for configuration of windows pass-thru authentication (native ~LSA, see snip from "old" documentation below).
3. Yea, from reading I have done it seems that: it is what it is   ;-(

<SNIP> A user is able to logon to Windows using the Kerberos LSA if the machine
is part of a Windows 2000 or Windows 2003 Active Directory domain or
if the machine has been configured to authenticate to a non-Microsoft KDC
such as MIT.  The instructions for configuring a Windows 2000 XP
workstation to authenticate to a non-Microsoft KDC are documented
in TechNet somewhere.  In brief:

    Install the Windows 2000 or XP support tools in order to obtain the tools: KSETUP.EXE and KTPASS.EXE.
    Install the Windows 2000 or XP Resource Kit to obtain the tools KERBTRAY.EXE and KLIST.EXE
    Add Realms and associated KDCs with: KSETUP /AddKdc <realm> [<kdcname>].  If you leave off the <kdcname> DNS SRV records will be used.
    Specify the password change service host for the realm with: KSETUP /AddKpasswd <realm> <Kpwdhost>
    Assign the realm of the local machine with: KSETUP /SetRealm <realm> where realm must be all upper case.
    Assign the local machine's password with: KSETUP /SetComputerPassword <Password>
    Specify the capabilities of the Realm KDC with: KSETUP /SetRealmFlags <realm> <flag> [<flag> ...] where flags may be None, SendAddress, TcpSupported, Delegate, or NcSupported,
    Map principal names to local accounts with: KSETUP /MapUser <principal> <account>

-----Original Message-----
From: Greg Hudson [mailto:ghudson at mit.edu] 
Sent: Tuesday, March 08, 2016 12:34 PM
To: Sean Garrett <SEAN.GARRETT at asu.edu>; kerberos at mit.edu
Subject: Re: stale credential issue

On 03/08/2016 12:19 PM, Sean Garrett wrote:
> We run Kerberos 5

On a KDC, on clients, or on application servers?  By Kerberos 5, do you mean MIT krb5, and if so, what version?

> and occasionally we have some Windows boxes (2008r2, 2012...)

Are you using Kerberos for Windows on these clients, or just native Microsoft Kerberos?  If you're using the native Microsoft Kerberos, how are you getting the clients to interoperate with an MIT krb5 KDC, if that's what you are doing?

> that appear to hang on to old credentials after you change your password.

In the Kerberos model, changing your password does not invalidate existing tickets.  However, if the Microsoft login system is saving the password and using it to periodically get new tickets, a password change would obviously interfere with that.  I unfortunately don't know enough about the Microsoft login system to know whether it does that or how it can be made to continue working after a password change.

More information about the Kerberos mailing list