Re-authentication vs Renewal of credentials by a service and the impact to clients
Greg Hudson
ghudson at mit.edu
Thu May 12 11:02:24 EDT 2016
On 05/12/2016 09:48 AM, Todd Grayson wrote:
> When a service re-authenticates to the KDC, effectively getting a new TGT,
> are the service tickets related to previous instance of the TGT for that
> service, no longer valid?
No and yes. From a protocol perspective, service tickets remain valid
until they expire, regardless of what TGTs have been obtained since they
were issued.
>From an implementation perspective (at least in MIT krb5 and Heimdal),
tickets are usually stored in a credential cache. If the TGT is
replaced or renewed, the credential cache is restarted from scratch,
discarding any pre-existing service tickets. There is no difference
between re-authentication and renewal in this respect.
More information about the Kerberos
mailing list