[krbdev.mit.edu #1667] WINDOWS: ms2mit.exe imports expired TGTs into MIT CCache

[via RT]

The existing ms2mit code uses the following algorithm to retrieve a TGT
from the Kerberos LSA:

(1) query the LSA cache for a TGT
(2) if the TGT is of enctype DES-CBC-CRC return it
(3) otherwise, force a TGS request for an enctype of DES-CBC-CRC
(4) return TGT if received

Background:

The Microsoft LSA does not (under all circumstances) renew expired
tickets.  (In fact, in an environment with XP Pro authenticating against
a MIT KDC I have never seen tickets be renewed or replaced to prevent
expiration.)  The Microsoft LSA appears to ignore the expiration date of
tickets.  

The LSA will avoid placing a TGT into the LSA cache if it was retrieved
when a specific ENCTYPE or CACHE-OPTION has been specified.  

Therefore, if the KDC provides the LSA with a DES-CBC-CRC enctype TGT,
the ticket will expire during its initial lifetime.  Requests to import
the LSA credential to the MIT CCache will succeed but the credentials
will be useless.

Related issues:

As of Krb5 1.3, the only enctype supported by the LSA and not by MIT
Krb5 is RC4-MD4.  Restricting the supported enctype to DES-CBC-CRC is no
longer necessary.

Tickets marked as INVALID are returned.

Proposed Resolution:

(1) Alter the enctype restriction to accept all supported enctypes
(2) Test for ticket expiration
(3) Test for ticket validity
(4) Request new ticket without enctype specification; specify
DES-CBC-CRC only if teh resulting TGT is unsupported